diff --git a/modules/services/kavita.nix b/modules/services/kavita.nix index eebef29..9208794 100644 --- a/modules/services/kavita.nix +++ b/modules/services/kavita.nix @@ -75,6 +75,7 @@ in http3 = useHttps; locations."/".proxyPass = "http://127.0.0.1:5000"; locations."/".extraConfig = '' + more_clear_headers 'x-frame-options'; add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index acab1e2..78afb3a 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -11,7 +11,7 @@ services.nginx = { enable = true; package = pkgs.nginxQuic; - #additionalModules = [ pkgs.nginxModules.moreheaders ]; + additionalModules = [ pkgs.nginxModules.moreheaders ]; # Use recommended settings recommendedGzipSettings = true; @@ -22,35 +22,35 @@ # Only allow PFS-enabled ciphers with AES256 sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - #appendConfig= '' - # more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains'; - # more_set_headers 'X-XSS-Protection 1; mode=block'; - # more_set_headers 'X-Frame-Options SAMEORIGIN'; - # more_set_headers 'X-Content-Type-Options nosniff'; - # more_set_headers "Content-Security-Policy default-src 'self'; font-src *;"; - #''; - - appendHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'https://kopatz.ddns.net'" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net'; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; + appendHttpConfig= '' + more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains'; + more_set_headers 'X-XSS-Protection 1; mode=block'; + # add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net'; + more_set_headers 'X-Content-Type-Options nosniff'; + more_set_headers "Content-Security-Policy: frame-ancestors 'https://kopatz.ddns.net'"; ''; + #appendHttpConfig = '' + # # Add HSTS header with preloading to HTTPS requests. + # # Adding this header to HTTP requests is discouraged + # map $scheme $hsts_header { + # https "max-age=31536000; includeSubdomains; preload"; + # } + # add_header Strict-Transport-Security $hsts_header; + + # # Enable CSP for your services. + # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'https://kopatz.ddns.net'" always; + + # # Minimize information leaked to other domains + # add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # # Disable embedding as a frame + # add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net'; + + # # Prevent injection of code in other mime types (XSS Attacks) + # add_header X-Content-Type-Options nosniff; + #''; + # Setup Nextcloud virtual host to listen on ports virtualHosts = { "kopatz.ddns.net" = {