From df2d91970d3c96425056acfa59ca988e02ac65a8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Mon, 24 May 2021 17:02:47 +0530 Subject: [PATCH] matrix_nginx_proxy_xss_protection --- roles/matrix-nginx-proxy/defaults/main.yml | 4 ++++ .../templates/nginx/conf.d/matrix-base-domain.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-client-element.conf.j2 | 4 +--- .../templates/nginx/conf.d/matrix-dimension.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-domain.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-jitsi.conf.j2 | 2 +- .../templates/nginx/conf.d/matrix-riot-web.conf.j2 | 8 ++++++++ .../templates/nginx/conf.d/matrix-sygnal.conf.j2 | 2 +- 9 files changed, 33 insertions(+), 7 deletions(-) diff --git a/roles/matrix-nginx-proxy/defaults/main.yml b/roles/matrix-nginx-proxy/defaults/main.yml index 3a6f943a..dd0fc21e 100644 --- a/roles/matrix-nginx-proxy/defaults/main.yml +++ b/roles/matrix-nginx-proxy/defaults/main.yml @@ -290,6 +290,10 @@ matrix_nginx_proxy_floc_optout_enabled: true # - https://hstspreload.org/#opt-in matrix_nginx_proxy_hsts_preload_enable: false +# +# +matrix_nginx_proxy_xss_protection: "1; mode=block" + # Specifies the SSL configuration that should be used for the SSL protocols and ciphers # This is based on the Mozilla Server Side TLS Recommended configurations. # diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 index a2d59e86..0a761236 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2 @@ -9,6 +9,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 index d0b31797..b3ef5980 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block";; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 index 2859cbb5..1e0ba2f1 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 @@ -10,10 +10,8 @@ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'"; - add_header Referrer-Policy "strict-origin-when-cross-origin"; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 index 4c2f4ee0..3ccb3a13 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 index 703c490e..7713661e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 @@ -20,6 +20,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif %} + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; location /.well-known/matrix { root {{ matrix_static_files_base_path }}; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 index eed665a0..cf9ae712 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 index a69424f4..4e89521e 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2 @@ -4,6 +4,14 @@ {% if matrix_nginx_proxy_floc_optout_enabled %} add_header Permissions-Policy interest-cohort=() always; {% endif %} + + {% if matrix_nginx_proxy_hsts_preload_enable %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + {% else %} + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + {% endif + + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; {% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %} {{- configuration_block }} diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 index 2064fad8..ef600ab7 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2 @@ -8,7 +8,7 @@ {% else %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; {% endif %} - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY;