diff --git a/swag/nginx/proxy-confs/gitea.subdomain.conf b/swag/nginx/proxy-confs/gitea.subdomain.conf index f8a6a1c..e465daa 100644 --- a/swag/nginx/proxy-confs/gitea.subdomain.conf +++ b/swag/nginx/proxy-confs/gitea.subdomain.conf @@ -12,6 +12,9 @@ server { include /config/nginx/ssl.conf; + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + client_max_body_size 0; # enable for ldap auth (requires ldap-location.conf in the location block) diff --git a/swag/nginx/ssl.conf b/swag/nginx/ssl.conf index 27c6c8a..c13e04c 100644 --- a/swag/nginx/ssl.conf +++ b/swag/nginx/ssl.conf @@ -15,13 +15,10 @@ ssl_dhparam /config/nginx/dhparams.pem; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_conf_command Options PrioritizeChaCha; -# HSTS (ngx_http_headers_module is required) (63072000 seconds) -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - # OCSP stapling ssl_stapling on; ssl_stapling_verify on; @@ -34,7 +31,7 @@ add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; add_header Referrer-Policy "same-origin" always; add_header X-Content-Type-Options "nosniff" always; -#add_header X-UA-Compatible "IE=Edge" always; +add_header X-Frame-Options "DENY" always; add_header X-XSS-Protection "0" always; -add_header Cross-Origin-Resource-Policy same-origin; +add_header Cross-Origin-Resource-Policy cross-origin; add_header Cross-Origin-Opener-Policy same-origin;