xoxys.nginx/templates/etc/nginx/conf.d/header.conf.j2

#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}

# protect against protocol downgrading and cookie hijacking
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}" always;
{% endif %}

# improve the protection against Clickjacking
# https://owasp.org/www-project-secure-headers/#x-frame-options
{% if nginx_xfo_enabled %}
add_header X-Frame-Options {{ nginx_xfo_policy }} always;
{% endif %}
{% if nginx_csp_enabled and nginx_csp_options is defined %}
add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}" always;
{% endif %}

# prevent from interpreting files as something else than declared by the content type in HTTP headers
# https://owasp.org/www-project-secure-headers/#x-content-type-options
{% if nginx_xcto_enabled %}
add_header X-Content-Type-Options nosniff always;
{% endif %}

# enables the cross-site scripting (XSS) filter of the browsers
# https://owasp.org/www-project-secure-headers/#x-xss-protection
{% if nginx_xxxsp_enabled %}
add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
{% endif %}

# governs which referrer information, sent in the Referer header, should be included with requests made
# https://owasp.org/www-project-secure-headers/#referrer-policy
{% if nginx_rp_enabled %}
add_header Referrer-Policy "{{ nginx_rp_option }}" always;
{% endif %}
add content security policy options 2019-06-11 17:01:38 +02:00			`#jinja2: lstrip_blocks: True`
cleanup 2019-07-18 08:59:41 +02:00			`{{ ansible_managed \| comment }}`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00
			`# protect against protocol downgrading and cookie hijacking`
rework security header 2021-05-20 11:00:24 +02:00			`# https://owasp.org/www-project-secure-headers/#http-strict-transport-security`
add content security policy options 2019-06-11 17:01:38 +02:00			`{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}`
rework security header 2021-05-20 11:00:24 +02:00			`add_header Strict-Transport-Security "{{ nginx_hsts_options \| join('; ') }}" always;`
re-add option for hsts; add option for ocsp stapling 2018-08-14 22:35:00 +02:00			`{% endif %}`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00
			`# improve the protection against Clickjacking`
rework security header 2021-05-20 11:00:24 +02:00			`# https://owasp.org/www-project-secure-headers/#x-frame-options`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`{% if nginx_xfo_enabled %}`
rework security header 2021-05-20 11:00:24 +02:00			`add_header X-Frame-Options {{ nginx_xfo_policy }} always;`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`{% endif %}`
add content security policy options 2019-06-11 17:01:38 +02:00			`{% if nginx_csp_enabled and nginx_csp_options is defined %}`
rework security header 2021-05-20 11:00:24 +02:00			`add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters \| join(' ') }};{% endfor %}" always;`
add content security policy options 2019-06-11 17:01:38 +02:00			`{% endif %}`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00
			`# prevent from interpreting files as something else than declared by the content type in HTTP headers`
rework security header 2021-05-20 11:00:24 +02:00			`# https://owasp.org/www-project-secure-headers/#x-content-type-options`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`{% if nginx_xcto_enabled %}`
rework security header 2021-05-20 11:00:24 +02:00			`add_header X-Content-Type-Options nosniff always;`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`{% endif %}`

			`# enables the cross-site scripting (XSS) filter of the browsers`
rework security header 2021-05-20 11:00:24 +02:00			`# https://owasp.org/www-project-secure-headers/#x-xss-protection`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`{% if nginx_xxxsp_enabled %}`
rework security header 2021-05-20 11:00:24 +02:00			`add_header X-XSS-Protection "{{ nginx_xxxsp_parameters \| default([]) \|join(' ; ') }}" always;`
refactor tls from source/file handling 2018-10-22 10:11:35 +02:00			`{% endif %}`
add Referrer-Policy header 2021-05-20 23:58:24 +02:00
			`# governs which referrer information, sent in the Referer header, should be included with requests made`
			`# https://owasp.org/www-project-secure-headers/#referrer-policy`
			`{% if nginx_rp_enabled %}`
			`add_header Referrer-Policy "{{ nginx_rp_option }}" always;`
			`{% endif %}`