diff --git a/cinny/nginx.conf b/cinny/nginx.conf index 77df5a4..56942fb 100644 --- a/cinny/nginx.conf +++ b/cinny/nginx.conf @@ -23,6 +23,16 @@ server { add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy strict-origin-when-cross-origin always; + # HSTS: TLS terminates upstream (this server is listen 80), so this reaches + # the browser only if the front proxy passes upstream response headers + # through; otherwise set it at the TLS terminator. includeSubDomains covers + # all *.lotusguild.org (all HTTPS); `preload` is inert until submitted to + # hstspreload.org. + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + # Permissions-Policy: allow only what the app uses (self) — calls + # (camera/microphone/display-capture), location share (geolocation), sounds + # (autoplay), Element Call (fullscreen/encrypted-media) — and deny the rest. + add_header Permissions-Policy "accelerometer=(), autoplay=(self), camera=(self), display-capture=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(self), midi=(), payment=(), usb=()" always; # Block all source map files and dotfiles from public access location ~* \.(js|css)\.map$ {