From a7dba3bffdbc01e2220442d3f9a9cb3831f28f7e Mon Sep 17 00:00:00 2001
From: Kopatz <7265381+Kropatz@users.noreply.github.com>
Date: Mon, 15 Apr 2024 16:22:45 +0200
Subject: [PATCH] test nginx headers

---
 modules/services/nginx.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index df6ada7..acab1e2 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -30,6 +30,27 @@
         #    more_set_headers "Content-Security-Policy default-src 'self'; font-src *;";
         #'';
 
+        appendHttpConfig = ''
+          # Add HSTS header with preloading to HTTPS requests.
+          # Adding this header to HTTP requests is discouraged
+          map $scheme $hsts_header {
+              https   "max-age=31536000; includeSubdomains; preload";
+          }
+          add_header Strict-Transport-Security $hsts_header;
+
+          # Enable CSP for your services.
+          add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none'; frame-ancestors 'https://kopatz.ddns.net'" always;
+
+          # Minimize information leaked to other domains
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+          # Disable embedding as a frame
+          add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
+
+          # Prevent injection of code in other mime types (XSS Attacks)
+          add_header X-Content-Type-Options nosniff;
+        '';
+
         # Setup Nextcloud virtual host to listen on ports
         virtualHosts = {
             "kopatz.ddns.net" = {