paulo-amaral · December 8, 2023 18:18
diff --git a/security.conf b/security.conf
 #Paulo sérgio amaral - 2021
 #A+ FOR DRUPAL - BEHIND NGINX REVERSE PROXY
 #Security headers, mozilla observatory and others.
 #Add this line on your server config and create a file into /etc/nginx:
 #include security.conf;

 #start headers config
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer-when-downgrade" always;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 gzip off;
 add_header Content-Security-Policy "default-src 'none'; script-src 'none' ; connect-src 'self'; object-src 'none'; frame-src 'self'; img-src 'self' data:; style-src 'self'"; 

 #new feature - good bye Feature-Policy
 add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";

 #INSERT YOUR DOMAIN ON URL
 add_header Expect-CT 'max-age=60, report-uri="https://domain/report"';
 add_header X-Permitted-Cross-Domain-Policies master-only;

 # enables server-side protection from BEAST attacks
 # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
 ssl_prefer_server_ciphers on;

 # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
 ssl_protocols TLSv1.2;

 # ciphers chosen for forward secrecy and compatibility
 # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';


 proxy_cookie_path / "/; HTTPOnly; Secure";
 more_set_headers "Server: Classified";
 more_clear_headers "X-Powered-By";

 # . files
 location ~ /\.(?!well-known) {
        deny all;
 }
	#Paulo sérgio amaral - 2021
	#A+ FOR DRUPAL - BEHIND NGINX REVERSE PROXY
	#Security headers, mozilla observatory and others.
	#Add this line on your server config and create a file into /etc/nginx:
	#include security.conf;

	#start headers config
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Referrer-Policy "no-referrer-when-downgrade" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	gzip off;
	add_header Content-Security-Policy "default-src 'none'; script-src 'none' ; connect-src 'self'; object-src 'none'; frame-src 'self'; img-src 'self' data:; style-src 'self'";

	#new feature - good bye Feature-Policy
	add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";

	#INSERT YOUR DOMAIN ON URL
	add_header Expect-CT 'max-age=60, report-uri="https://domain/report"';
	add_header X-Permitted-Cross-Domain-Policies master-only;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;

	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1.2;

	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';


	proxy_cookie_path / "/; HTTPOnly; Secure";
	more_set_headers "Server: Classified";
	more_clear_headers "X-Powered-By";

	# . files
	location ~ /\.(?!well-known) {
	deny all;
	}