include security headers

util/Nginx/Dockerfile

@@ -10,6 +10,8 @@ RUN apt-get update \
 COPY nginx.conf /etc/nginx
 COPY proxy.conf /etc/nginx
 COPY mime.types /etc/nginx
+COPY security-headers.conf /etc/nginx
+COPY security-headers-ssl.conf /etc/nginx
 COPY entrypoint.sh /
 RUN chmod +x /entrypoint.sh
 

util/Nginx/nginx.conf

@@ -141,6 +141,9 @@ http {
     default "application/fido.trusted-apps+json";
   }
   
+  # Security headers
+  include security-headers.conf;
+
   # Include files in the sites-enabled folder. server{} configuration files should be
   # placed in the sites-available folder, and then the configuration should be enabled
   # by creating a symlink to it in the sites-enabled folder.

util/Nginx/security-headers-ssl.conf

@@ -0,0 +1,2 @@
+# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
+add_header Strict-Transport-Security max-age=15768000;

util/Nginx/security-headers.conf

@@ -0,0 +1,4 @@
+add_header Referrer-Policy same-origin;
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";

util/Setup/Templates/NginxConfig.hbs

@@ -42,39 +42,46 @@ server {
   # Verify chain of trust of OCSP response using Root CA and Intermediate certs
   ssl_trusted_certificate {{{CaPath}}};
   resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
-{{/if}}
 {{/if}}
 
-  # Security headers
+  include /etc/nginx/security-headers-ssl.conf;
-  add_header Referrer-Policy same-origin;
-  add_header X-Frame-Options SAMEORIGIN;
-{{#if Ssl}}
-  add_header X-Content-Type-Options nosniff;
-  # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
-  add_header Strict-Transport-Security max-age=15768000;
 {{/if}}
 
   location / {
     proxy_pass http://web:5000/;
-    # Security headers
+    include /etc/nginx/security-headers.conf;
-    add_header X-XSS-Protection "1; mode=block";
+{{#if Ssl}}
+    include /etc/nginx/security-headers-ssl.conf;
+{{/if}}
     add_header Content-Security-Policy "{{{ContentSecurityPolicy}}}";
   }
 
   location = /app-id.json {
     proxy_pass http://web:5000/app-id.json;
+    include /etc/nginx/security-headers.conf;
+{{#if Ssl}}
+    include /etc/nginx/security-headers-ssl.conf;
+{{/if}}
     proxy_hide_header Content-Type;
     add_header Content-Type $fido_content_type;
   }
 
   location = /duo-connector.html {
     proxy_pass http://web:5000/duo-connector.html;
-    proxy_hide_header X-Frame-Options;
+    include /etc/nginx/security-headers.conf;
+{{#if Ssl}}
+    include /etc/nginx/security-headers-ssl.conf;
+{{/if}}
+    add_header X-Frame-Options "";
   }
 
   location = /u2f-connector.html {
     proxy_pass http://web:5000/u2f-connector.html;
-    proxy_hide_header X-Frame-Options;
+    include /etc/nginx/security-headers.conf;
+{{#if Ssl}}
+    include /etc/nginx/security-headers-ssl.conf;
+{{/if}}
+    add_header X-Frame-Options "";
   }
 
   location /attachments/ {