2019-06-11 15:01:38 +00:00
|
|
|
#jinja2: lstrip_blocks: True
|
2019-07-18 06:59:41 +00:00
|
|
|
{{ ansible_managed | comment }}
|
2018-10-22 08:11:35 +00:00
|
|
|
|
|
|
|
# protect against protocol downgrading and cookie hijacking
|
2021-05-20 09:00:24 +00:00
|
|
|
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
|
2019-06-11 15:01:38 +00:00
|
|
|
{% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
|
2021-05-20 09:00:24 +00:00
|
|
|
add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}" always;
|
2018-08-14 20:35:00 +00:00
|
|
|
{% endif %}
|
2018-10-22 08:11:35 +00:00
|
|
|
|
|
|
|
# improve the protection against Clickjacking
|
2021-05-20 09:00:24 +00:00
|
|
|
# https://owasp.org/www-project-secure-headers/#x-frame-options
|
2018-10-22 08:11:35 +00:00
|
|
|
{% if nginx_xfo_enabled %}
|
2021-05-20 09:00:24 +00:00
|
|
|
add_header X-Frame-Options {{ nginx_xfo_policy }} always;
|
2018-10-22 08:11:35 +00:00
|
|
|
{% endif %}
|
2019-06-11 15:01:38 +00:00
|
|
|
{% if nginx_csp_enabled and nginx_csp_options is defined %}
|
2021-05-20 09:00:24 +00:00
|
|
|
add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}" always;
|
2019-06-11 15:01:38 +00:00
|
|
|
{% endif %}
|
2018-10-22 08:11:35 +00:00
|
|
|
|
|
|
|
# prevent from interpreting files as something else than declared by the content type in HTTP headers
|
2021-05-20 09:00:24 +00:00
|
|
|
# https://owasp.org/www-project-secure-headers/#x-content-type-options
|
2018-10-22 08:11:35 +00:00
|
|
|
{% if nginx_xcto_enabled %}
|
2021-05-20 09:00:24 +00:00
|
|
|
add_header X-Content-Type-Options nosniff always;
|
2018-10-22 08:11:35 +00:00
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
# enables the cross-site scripting (XSS) filter of the browsers
|
2021-05-20 09:00:24 +00:00
|
|
|
# https://owasp.org/www-project-secure-headers/#x-xss-protection
|
2018-10-22 08:11:35 +00:00
|
|
|
{% if nginx_xxxsp_enabled %}
|
2021-05-20 09:00:24 +00:00
|
|
|
add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
|
2018-10-22 08:11:35 +00:00
|
|
|
{% endif %}
|
2021-05-20 21:58:24 +00:00
|
|
|
|
|
|
|
# governs which referrer information, sent in the Referer header, should be included with requests made
|
|
|
|
# https://owasp.org/www-project-secure-headers/#referrer-policy
|
|
|
|
{% if nginx_rp_enabled %}
|
|
|
|
add_header Referrer-Policy "{{ nginx_rp_option }}" always;
|
|
|
|
{% endif %}
|