Redocly/redoc
1
1
Fork 0
mirror of https://github.com/Redocly/redoc.git synced 2024-11-22 00:26:34 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: add security headers to Docker nginx config (#1244)

Browse Source 
* Add security headers to nginx config

Increase the security of the nginx server and the served page, by adding the following security headers to the nginx config:
- X-Frame-Options (Disables click jacking by disallowing the page to be run in a frame/iframe)
- X-XSS-Protection (Enables cross site scripting filtering)
- X-Content-Type-Options (Disables MIME sniffing and forces browser to use the type given in Content-Type.)
- Content-Security-Policy (Controls resources the user agent is allowed to load for a given page.)
- Referrer-Policy (Governs which referrer information sent in the Referer header should be included with requests made.)

Additional headers that could be added optionally:
- Strict-Transport-Security (Enforce HTTPS over HTTP)
This commit is contained in:
Daniel Schosser 2020-05-14 09:33:09 +02:00 committed by GitHub
parent 05e0a3f06b
commit 4512436f1d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
config/docker/nginx.conf
View File

@ -21,6 +21,13 @@ http {
alias /usr/share/nginx/html/;
if ($request_method = 'OPTIONS') {
# Add security headers
add_header 'X-Frame-Options' 'deny always';
add_header 'X-XSS-Protection' '"1; mode=block" always';
add_header 'X-Content-Type-Options' 'nosniff always';
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
# Set access control header
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
@ -36,11 +43,25 @@ http {
return 204;
}
if ($request_method = 'POST') {
# Add security headers
add_header 'X-Frame-Options' 'deny always';
add_header 'X-XSS-Protection' '"1; mode=block" always';
add_header 'X-Content-Type-Options' 'nosniff always';
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
# Set access control header
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
# Add security headers
add_header 'X-Frame-Options' 'deny always';
add_header 'X-XSS-Protection' '"1; mode=block" always';
add_header 'X-Content-Type-Options' 'nosniff always';
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
# Set access control header
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';