From 4133a35457c726701883326c00bb1317d3fb9955 Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 13 Jan 2022 04:25:20 -0500 Subject: [PATCH] Additional hardening --- install.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index 1c08faa..7d14a1e 100644 --- a/install.sh +++ b/install.sh @@ -519,7 +519,8 @@ server { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "0"; add_header X-Robots-Tag none; - add_header Content-Security-Policy "frame-ancestors 'self'"; + add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'" always; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; add_header X-Frame-Options DENY; add_header Referrer-Policy same-origin; location / { @@ -587,7 +588,8 @@ server { add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "0"; add_header X-Robots-Tag none; - add_header Content-Security-Policy "frame-ancestors 'self'"; + add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; form-action 'none'; frame-ancestors 'self'" always; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; add_header X-Frame-Options DENY; add_header Referrer-Policy same-origin;