2017-07-15 15:24:48 +00:00
|
|
|
# {{ ansible_managed }}
|
2018-10-22 08:11:35 +00:00
|
|
|
|
|
|
|
|
# protect against protocol downgrading and cookie hijacking
|
|
|
|
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
|
|
|
|
|
{% if nginx_tls_hsts_enabled %}
|
2018-08-13 19:41:12 +00:00
|
|
|
add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
|
2018-08-14 20:35:00 +00:00
|
|
|
{% endif %}
|
2018-10-22 08:11:35 +00:00
|
|
|
|
|
|
|
|
# improve the protection against Clickjacking
|
|
|
|
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
|
|
|
|
|
{% if nginx_xfo_enabled %}
|
|
|
|
|
add_header X-Frame-Options {{ nginx_xfo_policy }};
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# prevent from interpreting files as something else than declared by the content type in HTTP headers
|
|
|
|
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
|
|
|
|
|
{% if nginx_xcto_enabled %}
|
2017-07-15 15:24:48 +00:00
|
|
|
add_header X-Content-Type-Options nosniff;
|
2018-10-22 08:11:35 +00:00
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
# enables the cross-site scripting (XSS) filter of the browsers
|
|
|
|
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
|
|
|
|
|
{% if nginx_xxxsp_enabled %}
|
|
|
|
|
add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}";
|
|
|
|
|
{% endif %}
|
