-
-
Save pascalandy/023335a82e65531f5fa4d39fe902c54a to your computer and use it in GitHub Desktop.
Only applying this config to the main website "location" and not on static assets. Saves bandwidth, since the headers only have an impact during the website load.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| more_set_headers "X-UA-Compatible: IE=Edge"; | |
| more_set_headers "X-XSS-Protection: 1; mode=block"; | |
| more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains; preload"; | |
| more_set_headers "X-Frame-Options: SAMEORIGIN"; | |
| more_set_headers "X-Content-Type-Options: nosniff"; | |
| more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self' data: gist.github.com embedr.flickr.com widgets.flickr.com; style-src 'self' 'unsafe-inline' data: assets-cdn.github.com; img-src 'self' data: www.gravatar.com farm2.staticflickr.com; font-src 'self' data:; connect-src 'self' embedr.flickr.com geo.query.yahoo.com; media-src 'none'; object-src 'self'; child-src 'self' www.youtube.com gaming.youtube.com player.twitch.tv; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri https://www.itchy.nl; manifest-src 'self'; disown-opener; referrer no-referrer-when-downgrade;"; | |
| # Let's Encrypt Authority X3, RSA, ECDSA, CSR, backup CSR | |
| add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="my9dyWLXojgSRTP+nEh9I8PUN/kUNpUoYPpCcJawFW8="; pin-sha256="UPyLUPCmMMZ5Lg8cB2RU8G+J0r4Qem9pP8oRDoON0LA="; pin-sha256="ViRyMWixdK0LPvU2iMuLH7ymDv4bTusdYhim7C4M6Xk="; pin-sha256="GDHmLMGGBmvmx0BbnKYp5t65AIJBGlregE1QIMp09p0="; max-age=2592000'; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment