From b0a0f5f567fc6350e1929d4f3a25bde40d5db75a Mon Sep 17 00:00:00 2001
From: Hugo SUBTIL <ext.sopra.husubtil@grandlyon.com>
Date: Thu, 6 May 2021 09:59:33 +0200
Subject: [PATCH] fix: wip on nginx configuration

---
 nginx/dev.conf              | 9 +++++++++
 nginx/security-headers.conf | 5 +++++
 2 files changed, 14 insertions(+)
 create mode 100644 nginx/security-headers.conf

diff --git a/nginx/dev.conf b/nginx/dev.conf
index 38db77c59..b43d16e38 100644
--- a/nginx/dev.conf
+++ b/nginx/dev.conf
@@ -18,6 +18,9 @@ server {
   listen 8080 default_server;
 
   root /usr/share/nginx/html/;
+
+  server_tokens off;
+
   set $matomo_script
   "<script type='text/javascript'>
     var _paq = window._paq = window._paq || [];
@@ -32,6 +35,12 @@ server {
     })();
   </script>";
 
+
+  location ~ /index.html|.*\.json$ {
+      expires -1;
+      add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+  }
+
   location / {
     # Redirect outdated nav
     if ($outdated = 1){
diff --git a/nginx/security-headers.conf b/nginx/security-headers.conf
new file mode 100644
index 000000000..33106bbd0
--- /dev/null
+++ b/nginx/security-headers.conf
@@ -0,0 +1,5 @@
+add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always;
+add_header Content-Security-Policy "object-src 'none'; script-src 'self' https://openlayers.org/en/v4.6.5/build/ol.js https://embed.typeform.com/embed.js; script-src-elem 'self' https://openlayers.org/en/v4.6.5/build/ol.js https://embed.typeform.com/embed.js; base-uri 'self'; style-src https://openlayers.org/en/v4.6.5/css/ol.css https://cdn.jsdelivr.net/npm/leaflet.locatecontrol@0.72.0/dist/L.Control.Locate.min.css 'unsafe-inline' 'self';" always;
+add_header X-Frame-Options "DENY" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header Referrer-Policy "strict-origin" always;
-- 
GitLab