23 lines
1.3 KiB
Plaintext
23 lines
1.3 KiB
Plaintext
# Global security headers - apply everywhere
|
|
|
|
# We do not set clipboard-write() here, because it is very commonly used
|
|
proxy_hide_header Strict-Transport-Security;
|
|
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-create=self, publickey-credentials-get=self, screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
|
|
|
|
proxy_hide_header Permissions-Policy;
|
|
add_header Referrer-Policy "same-origin" always;
|
|
|
|
proxy_hide_header X-Content-Type-Options;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
proxy_hide_header X-Frame-Options;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
proxy_hide_header X-Permitted-Cross-Domain-Policies;
|
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
|
|
|
# Obsolete and replaced by Content-Security-Policy
|
|
# Only here to pass Hardenize checks
|
|
proxy_hide_header X-XSS-Protection;
|
|
add_header X-XSS-Protection "0" always;
|