chore(contrib): security headers in example nginx/caddy configs (P6-4)
Add HSTS + Permissions-Policy + the standard X-Frame/X-Content/Referrer set to the contrib nginx (443 block) and caddy examples; fix the caddy SPA try_files fallback (stray space). Generic (no homeserver-specific CSP). The real prod config lives in the matrix repo. P6-4 trimmed to headers only — patch-package / types-drift / build-config skipped (see LOTUS_TODO). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
+12
-1
@@ -1,6 +1,17 @@
|
||||
# more info: https://caddyserver.com/docs/caddyfile/patterns#single-page-apps-spas
|
||||
cinny.domain.tld {
|
||||
root * /path/to/cinny/dist
|
||||
try_files {path} / index.html
|
||||
try_files {path} /index.html
|
||||
file_server
|
||||
|
||||
# Security headers (generic; add a Content-Security-Policy suited to your
|
||||
# homeserver + any embedded services). Caddy serves HTTPS automatically, so
|
||||
# HSTS is delivered over TLS.
|
||||
header {
|
||||
X-Frame-Options SAMEORIGIN
|
||||
X-Content-Type-Options nosniff
|
||||
Referrer-Policy strict-origin-when-cross-origin
|
||||
Strict-Transport-Security "max-age=63072000; includeSubDomains"
|
||||
Permissions-Policy "accelerometer=(), autoplay=(self), camera=(self), display-capture=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(self), midi=(), payment=(), usb=()"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -17,6 +17,15 @@ server {
|
||||
listen [::]:443 ssl;
|
||||
server_name cinny.domain.tld;
|
||||
|
||||
# Security headers (generic; add a Content-Security-Policy suited to your
|
||||
# homeserver + any embedded services). NOTE: nginx does not inherit
|
||||
# server-level add_header into a location that sets its own add_header.
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
add_header Referrer-Policy strict-origin-when-cross-origin always;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
add_header Permissions-Policy "accelerometer=(), autoplay=(self), camera=(self), display-capture=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(self), midi=(), payment=(), usb=()" always;
|
||||
|
||||
location / {
|
||||
root /opt/cinny/dist/;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user