init - PoC works

2026-03-14 10:10:25 +01:00 · 2026-03-14 10:10:25 +01:00 · 6209600037
commit 6209600037
5 changed files with 483 additions and 0 deletions
--- a/nginx-container.conf
+++ b/nginx-container.conf
@ -0,0 +1,67 @@
+# Runs inside the container — TLS and HSTS are handled by the reverse proxy.
+
+server {
+    listen 8080;
+    server_name _;
+
+    root  /usr/share/nginx/html;
+    index index.html;
+
+    # Disable nginx version in error pages and headers
+    server_tokens off;
+
+    # ── Security headers ─────────────────────────────────────────────────────
+    add_header Content-Security-Policy "
+        default-src   'none';
+        script-src    'self' https://cdn.jsdelivr.net;
+        style-src     'unsafe-inline';
+        img-src       'self' data: blob:;
+        frame-src     'self';
+        child-src     'self';
+        connect-src   'none';
+        font-src      'none';
+        object-src    'none';
+        base-uri      'self';
+        form-action   'none';
+        frame-ancestors 'none';
+    " always;
+
+    add_header X-Content-Type-Options  "nosniff"     always;
+    add_header X-Frame-Options         "DENY"        always;
+    add_header Referrer-Policy         "no-referrer" always;
+    add_header Permissions-Policy      "camera=(), microphone=(), geolocation=(), payment=()" always;
+
+    # ── Static files ─────────────────────────────────────────────────────────
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location ~* \.(js|css)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+
+        # nginx overrides parent add_header inside location blocks, so repeat them
+        add_header Content-Security-Policy "
+            default-src   'none';
+            script-src    'self' https://cdn.jsdelivr.net;
+            style-src     'unsafe-inline';
+            img-src       'self' data: blob:;
+            frame-src     'self';
+            child-src     'self';
+            connect-src   'none';
+            font-src      'none';
+            object-src    'none';
+            base-uri      'self';
+            form-action   'none';
+            frame-ancestors 'none';
+        " always;
+        add_header X-Content-Type-Options  "nosniff"     always;
+        add_header X-Frame-Options         "DENY"        always;
+        add_header Referrer-Policy         "no-referrer" always;
+    }
+
+    # Block hidden files (.git, .env, etc.)
+    location ~ /\. {
+        deny all;
+    }
+}