diff --git a/util/Nginx/Dockerfile b/util/Nginx/Dockerfile index f34f29dcb..819e15c0a 100644 --- a/util/Nginx/Dockerfile +++ b/util/Nginx/Dockerfile @@ -10,6 +10,8 @@ RUN apt-get update \ COPY nginx.conf /etc/nginx COPY proxy.conf /etc/nginx COPY mime.types /etc/nginx +COPY security-headers.conf /etc/nginx +COPY security-headers-ssl.conf /etc/nginx COPY entrypoint.sh / RUN chmod +x /entrypoint.sh diff --git a/util/Nginx/nginx.conf b/util/Nginx/nginx.conf index ac7e5c3fb..fd379fefa 100644 --- a/util/Nginx/nginx.conf +++ b/util/Nginx/nginx.conf @@ -140,6 +140,9 @@ http { map $uri $fido_content_type { default "application/fido.trusted-apps+json"; } + + # Security headers + include security-headers.conf; # Include files in the sites-enabled folder. server{} configuration files should be # placed in the sites-available folder, and then the configuration should be enabled diff --git a/util/Nginx/security-headers-ssl.conf b/util/Nginx/security-headers-ssl.conf new file mode 100644 index 000000000..d94e835c4 --- /dev/null +++ b/util/Nginx/security-headers-ssl.conf @@ -0,0 +1,2 @@ +# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age +add_header Strict-Transport-Security max-age=15768000; \ No newline at end of file diff --git a/util/Nginx/security-headers.conf b/util/Nginx/security-headers.conf new file mode 100644 index 000000000..3f1c79f89 --- /dev/null +++ b/util/Nginx/security-headers.conf @@ -0,0 +1,4 @@ +add_header Referrer-Policy same-origin; +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; \ No newline at end of file diff --git a/util/Setup/Templates/NginxConfig.hbs b/util/Setup/Templates/NginxConfig.hbs index d5041b022..f103d9688 100644 --- a/util/Setup/Templates/NginxConfig.hbs +++ b/util/Setup/Templates/NginxConfig.hbs @@ -42,39 +42,46 @@ server { # Verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate {{{CaPath}}}; resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; -{{/if}} {{/if}} - # Security headers - add_header Referrer-Policy same-origin; - add_header X-Frame-Options SAMEORIGIN; -{{#if Ssl}} - add_header X-Content-Type-Options nosniff; - # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age - add_header Strict-Transport-Security max-age=15768000; + include /etc/nginx/security-headers-ssl.conf; {{/if}} location / { proxy_pass http://web:5000/; - # Security headers - add_header X-XSS-Protection "1; mode=block"; + include /etc/nginx/security-headers.conf; +{{#if Ssl}} + include /etc/nginx/security-headers-ssl.conf; +{{/if}} add_header Content-Security-Policy "{{{ContentSecurityPolicy}}}"; } location = /app-id.json { proxy_pass http://web:5000/app-id.json; + include /etc/nginx/security-headers.conf; +{{#if Ssl}} + include /etc/nginx/security-headers-ssl.conf; +{{/if}} proxy_hide_header Content-Type; add_header Content-Type $fido_content_type; } location = /duo-connector.html { proxy_pass http://web:5000/duo-connector.html; - proxy_hide_header X-Frame-Options; + include /etc/nginx/security-headers.conf; +{{#if Ssl}} + include /etc/nginx/security-headers-ssl.conf; +{{/if}} + add_header X-Frame-Options ""; } location = /u2f-connector.html { proxy_pass http://web:5000/u2f-connector.html; - proxy_hide_header X-Frame-Options; + include /etc/nginx/security-headers.conf; +{{#if Ssl}} + include /etc/nginx/security-headers-ssl.conf; +{{/if}} + add_header X-Frame-Options ""; } location /attachments/ {