rework security header

defaults/main.yml

@@ -90,6 +90,7 @@ nginx_csp_enabled: False
 
 nginx_xxxsp_enabled: True
 nginx_xxxsp_parameters:
+  - 1
   - mode=block
 
 nginx_maps: []
@@ -162,13 +163,16 @@ nginx_vhosts_default:
 #           - match: /
 #             root: /var/www/vhosts/default
 #             index: index.html
+#             add_headers: []
 #             proxy_pass:
 #             proxy_http_version: "1.1"
 #             proxy_buffering: "off"
 #             proxy_connect_timeout: 3600s
 #             proxy_read_timeout: 3600s
 #             proxy_send_timeout: 3600s
-#             proxy_headers: []
+#             proxy_set_headers: []
+#             proxy_hide_headers: []
+#             proxy_ignore_headers: []
 #             proxy_intercept_errors: "off"
 #             custom_options:
 #         custom_options:

templates/etc/nginx/conf.d/header.conf.j2

@@ -2,28 +2,28 @@
 {{ ansible_managed | comment }}
 
 # protect against protocol downgrading and cookie hijacking
-# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
+# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
 {% if nginx_tls_hsts_enabled and nginx_hsts_options is defined%}
-add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}";
+add_header Strict-Transport-Security "{{ nginx_hsts_options | join('; ') }}" always;
 {% endif %}
 
 # improve the protection against Clickjacking
-# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
+# https://owasp.org/www-project-secure-headers/#x-frame-options
 {% if nginx_xfo_enabled %}
-add_header X-Frame-Options {{ nginx_xfo_policy }};
+add_header X-Frame-Options {{ nginx_xfo_policy }} always;
 {% endif %}
 {% if nginx_csp_enabled and nginx_csp_options is defined %}
-add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}";
+add_header Content-Security-Policy "{% for item in nginx_csp_options %}{{ item.directive }} {{ item.parameters | join(' ') }};{% endfor %}" always;
 {% endif %}
 
 # prevent from interpreting files as something else than declared by the content type in HTTP headers
-# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
 {% if nginx_xcto_enabled %}
-add_header X-Content-Type-Options nosniff;
+add_header X-Content-Type-Options nosniff always;
 {% endif %}
 
 # enables the cross-site scripting (XSS) filter of the browsers
-# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
+# https://owasp.org/www-project-secure-headers/#x-xss-protection
 {% if nginx_xxxsp_enabled %}
-add_header X-XSS-Protection "1; {{ nginx_xxxsp_parameters | default([])|join(' ; ') }}";
+add_header X-XSS-Protection "{{ nginx_xxxsp_parameters | default([]) |join(' ; ') }}" always;
 {% endif %}

templates/etc/nginx/sites-available/vhost.j2

@@ -52,6 +52,14 @@ server {
         {% if location.index is defined and location.index %}
         index  {{ location.index }};
 
+        {% endif %}
+        {% if location.add_headers is defined and location.add_headers %}
+
+        include /etc/nginx/conf.d/header.conf;
+        {% for add in location.add_headers %}
+        add_header {{ add }};
+        {% endfor %}
+
         {% endif %}
         {% if location.proxy_pass is defined and location.proxy_pass %}
         proxy_pass {{ location.proxy_pass }};
@@ -73,10 +81,22 @@ server {
         {% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors %}
         proxy_intercept_errors {{ location.proxy_intercept_errors }};
         {% endif %}
-        {% if location.proxy_headers is defined and location.proxy_headers %}
+        {% if location.proxy_set_headers is defined and location.proxy_set_headers %}
 
-        {% for pheader in location.proxy_headers %}
-        proxy_set_header {{ pheader }};
+        {% for set in location.proxy_set_headers %}
+        proxy_set_header {{ set }};
+        {% endfor %}
+        {% endif %}
+        {% if location.proxy_hide_headers is defined and location.proxy_hide_headers %}
+
+        {% for hide in location.proxy_hide_headers %}
+        proxy_hide_header {{ hide }};
+        {% endfor %}
+        {% endif %}
+        {% if location.proxy_ignore_headers is defined and location.proxy_ignore_headers %}
+
+        {% for ignore in location.proxy_ignore_headers %}
+        proxy_ignore_header {{ ignore }};
         {% endfor %}
         {% endif %}
         {% endif %}