fix(nginx): apply recommended security headers to each location

2025-10-11 07:10:39 +02:00 · 2023-08-03 00:36:06 +02:00 · 2023-08-03 00:36:06 +02:00 · 3548867a40
commit 3548867a40
parent 8be9646d1a
1 changed files with 30 additions and 18 deletions
--- a/modules/meta/nginx.nix
+++ b/modules/meta/nginx.nix
@ -5,21 +5,31 @@
 }: let
  inherit
    (lib)
-    mdDoc
+    mkBefore
    mkIf
    mkOption
    types
    ;
 in {
  options.services.nginx.virtualHosts = mkOption {
+    type = types.attrsOf (types.submodule {
+      options.locations = mkOption {
        type = types.attrsOf (types.submodule ({config, ...}: {
-      options.recommendedSecurityHeaders = mkOption {
+          options = {
+            recommendedSecurityHeaders = mkOption {
              type = types.bool;
              default = true;
-        description = mdDoc ''Whether to add additional security headers to the "/" location.'';
+              description = "Whether to add additional security headers to this location.";
+            };
+
+            X-Frame-Options = mkOption {
+              type = types.str;
+              default = "DENY";
+              description = "The value to use for X-Frame-Options";
+            };
          };
          config = mkIf config.recommendedSecurityHeaders {
-        locations."/".extraConfig = ''
+            extraConfig = mkBefore ''
              # Enable HTTP Strict Transport Security (HSTS)
              add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

@ -27,12 +37,14 @@ in {
              add_header Referrer-Policy "origin-when-cross-origin";

              add_header X-XSS-Protection "1; mode=block";
-          add_header X-Frame-Options "DENY";
+              add_header X-Frame-Options "${config.X-Frame-Options}";
              add_header X-Content-Type-Options "nosniff";
            '';
          };
        }));
      };
+    });
+  };

  config = mkIf config.services.nginx.enable {
    age.secrets."dhparams.pem" = {