67 lines
2.4 KiB
Text
67 lines
2.4 KiB
Text
# Runs inside the container — TLS and HSTS are handled by the reverse proxy.
|
|
|
|
server {
|
|
listen 8080;
|
|
server_name _;
|
|
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Disable nginx version in error pages and headers
|
|
server_tokens off;
|
|
|
|
# ── Security headers ─────────────────────────────────────────────────────
|
|
add_header Content-Security-Policy "
|
|
default-src 'none';
|
|
script-src 'self' https://cdn.jsdelivr.net;
|
|
style-src 'unsafe-inline';
|
|
img-src 'self' data: blob:;
|
|
frame-src 'self';
|
|
child-src 'self';
|
|
connect-src 'none';
|
|
font-src 'none';
|
|
object-src 'none';
|
|
base-uri 'self';
|
|
form-action 'none';
|
|
frame-ancestors 'none';
|
|
" always;
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header Referrer-Policy "no-referrer" always;
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
|
|
|
|
# ── Static files ─────────────────────────────────────────────────────────
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
location ~* \.(js|css)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
|
|
# nginx overrides parent add_header inside location blocks, so repeat them
|
|
add_header Content-Security-Policy "
|
|
default-src 'none';
|
|
script-src 'self' https://cdn.jsdelivr.net;
|
|
style-src 'unsafe-inline';
|
|
img-src 'self' data: blob:;
|
|
frame-src 'self';
|
|
child-src 'self';
|
|
connect-src 'none';
|
|
font-src 'none';
|
|
object-src 'none';
|
|
base-uri 'self';
|
|
form-action 'none';
|
|
frame-ancestors 'none';
|
|
" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header Referrer-Policy "no-referrer" always;
|
|
}
|
|
|
|
# Block hidden files (.git, .env, etc.)
|
|
location ~ /\. {
|
|
deny all;
|
|
}
|
|
}
|