[Bug] Disable nginx x-frame-options header (#1003)

2026-06-23 07:40:08 +00:00 · 2023-12-20 12:42:48 -05:00
parent bfe457d4f0
commit dfedcc8db9
2 changed files with 26 additions and 1 deletions
@@ -23,7 +23,7 @@ RUN apt-get update \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*

 # Copy package configs
-COPY --chmod=755 docker/deploy/etc/s6-overlay/ /etc/s6-overlay/
+COPY --chmod=755 docker/deploy/etc /etc

 # Copy app
 COPY --chown=webuser:webgroup . $WEBUSER_HOME
@@ -0,0 +1,25 @@
+#
+# Security Headers
+#
+
+# Prevent IFRAME spoofing attacks
+# Disabled for Speedtest Tracked to be embedded.
+# add_header X-Frame-Options           "SAMEORIGIN" always;
+
+# Prevent MIME attacks
+add_header X-Content-Type-Options    "nosniff" always;
+
+# Prevent Referrer URL from being leaked
+add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+
+# Configure Content Security Policy
+# UPDATE - September 2020: Commenting this out until we grasp better security requirements
+#add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+
+# Enable HSTS
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+# Prevent access to . files (excent the well-known directory)
+location ~ /\.(?!well-known) {
+    deny all;
+}