1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00

fix(nginx): apply recommended security headers to each location

This commit is contained in:
oddlama 2023-08-03 00:36:06 +02:00
parent 8be9646d1a
commit 3548867a40
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A

View file

@ -5,33 +5,45 @@
}: let
inherit
(lib)
mdDoc
mkBefore
mkIf
mkOption
types
;
in {
options.services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule ({config, ...}: {
options.recommendedSecurityHeaders = mkOption {
type = types.bool;
default = true;
description = mdDoc ''Whether to add additional security headers to the "/" location.'';
};
config = mkIf config.recommendedSecurityHeaders {
locations."/".extraConfig = ''
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
type = types.attrsOf (types.submodule {
options.locations = mkOption {
type = types.attrsOf (types.submodule ({config, ...}: {
options = {
recommendedSecurityHeaders = mkOption {
type = types.bool;
default = true;
description = "Whether to add additional security headers to this location.";
};
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
X-Frame-Options = mkOption {
type = types.str;
default = "DENY";
description = "The value to use for X-Frame-Options";
};
};
config = mkIf config.recommendedSecurityHeaders {
extraConfig = mkBefore ''
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
'';
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "${config.X-Frame-Options}";
add_header X-Content-Type-Options "nosniff";
'';
};
}));
};
}));
});
};
config = mkIf config.services.nginx.enable {