Add more security headers to nginx configuration

package-health · May 18, 2023 · ddd4448 · ddd4448
1 parent 1f35cda
commit ddd4448
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
@@ -9,9 +9,11 @@ server {
   try_files $uri @php;
 
   # security headers
+  add_header X-Content-Type-Options    "nosniff" always;
   add_header Referrer-Policy           "no-referrer-when-downgrade" always;
-  add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+  add_header Content-Security-Policy   "default-src 'self' https: wss: data: blob:; frame-ancestors 'self';" always;
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  add_header Permissions-Policy        "autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()" always;
 
   location ~* \.(css|png|ico|webmanifest|eot|svg|ttf|woff|woff2|txt|jpg|jpeg|gif|webp)$ {
     try_files  $uri /index.php$is_args$args;