mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

fix(nginx): apply recommended security headers to each location

Browse source
This commit is contained in:
oddlama 2023-08-03 00:36:06 +02:00
parent 8be9646d1a
commit 3548867a40
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
1 changed files with 30 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

48
modules/meta/nginx.nix
View file

@ -5,33 +5,45 @@
}: let }: let
inherit inherit
(lib) (lib)
mdDoc mkBefore
mkIf mkIf
mkOption mkOption
types types
; ;
in { in {
options.services.nginx.virtualHosts = mkOption { options.services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule ({config, ...}: { type = types.attrsOf (types.submodule {
options.recommendedSecurityHeaders = mkOption { options.locations = mkOption {
type = types.bool; type = types.attrsOf (types.submodule ({config, ...}: {
default = true; options = {
description = mdDoc ''Whether to add additional security headers to the "/" location.''; recommendedSecurityHeaders = mkOption {
}; type = types.bool;
config = mkIf config.recommendedSecurityHeaders { default = true;
locations."/".extraConfig = '' description = "Whether to add additional security headers to this location.";
# Enable HTTP Strict Transport Security (HSTS) };
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains X-Frame-Options = mkOption {
add_header Referrer-Policy "origin-when-cross-origin"; type = types.str;
default = "DENY";
description = "The value to use for X-Frame-Options";
};
};
config = mkIf config.recommendedSecurityHeaders {
extraConfig = mkBefore ''
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-XSS-Protection "1; mode=block"; # Minimize information leaked to other domains
add_header X-Frame-Options "DENY"; add_header Referrer-Policy "origin-when-cross-origin";
add_header X-Content-Type-Options "nosniff";
''; add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "${config.X-Frame-Options}";
add_header X-Content-Type-Options "nosniff";
'';
};
}));
}; };
})); });
}; };
config = mkIf config.services.nginx.enable { config = mkIf config.services.nginx.enable {