From 6d3474809b94db74aeb7471dd44b3b0b30ab65bc Mon Sep 17 00:00:00 2001
From: Daniel Schosser <daniel@crashtest-security.com>
Date: Mon, 11 May 2020 10:04:17 +0200
Subject: [PATCH] refactor: update security header as nginx does not inherit
 correctly

---
 config/docker/nginx.conf | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/config/docker/nginx.conf b/config/docker/nginx.conf
index 6d72b7f9..8db49546 100644
--- a/config/docker/nginx.conf
+++ b/config/docker/nginx.conf
@@ -17,17 +17,18 @@ http {
     server_name       localhost;
     index             index.html index.htm;
 
-    # Add security headers
-    add_header X-Frame-Options deny always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header Content-Security-Policy "default-src 'none'" always;
-    add_header Referrer-Policy strict-origin-when-cross-origin always;
-
     location / {
       alias            /usr/share/nginx/html/;
 
       if ($request_method = 'OPTIONS') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Content-Security-Policy' '"default-src \'none\'" always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin always';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           #
@@ -43,11 +44,27 @@ http {
           return 204;
       }
       if ($request_method = 'POST') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Content-Security-Policy' '"default-src \'none\'" always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin always';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
       }
       if ($request_method = 'GET') {
+          # Add security headers
+          add_header 'X-Frame-Options' 'deny always';
+          add_header 'X-XSS-Protection' '"1; mode=block" always';
+          add_header 'X-Content-Type-Options' 'nosniff always';
+          add_header 'Content-Security-Policy' '"default-src \'none\'" always';
+          add_header 'Referrer-Policy' 'strict-origin-when-cross-origin always';
+
+          # Set access control header
           add_header 'Access-Control-Allow-Origin' '*';
           add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
           add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';