Add session cookie hardening and Nginx security headers

Set httponly, samesite=Lax, and auto-detected secure flag on session
cookies. Add X-Content-Type-Options, X-Frame-Options, and
Content-Security-Policy headers in Nginx. Document both in README.

1 files changed, 8 insertions, 0 deletions

diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
index 44ebf62..e778b44 100644
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -4,6 +4,14 @@ server {
     root /var/www/html/public;
     index index.php;
 
+    # Prevent browsers from MIME-sniffing a response away from the declared type
+    add_header X-Content-Type-Options "nosniff" always;
+    # Block the page from being loaded inside an iframe (prevents clickjacking)
+    add_header X-Frame-Options "DENY" always;
+    # Only allow resources from the same origin — inline styles are needed for
+    # GD-generated image previews, media-src blob: for webcam capture
+    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; media-src 'self' blob:;" always;
+
     location / {
         try_files $uri $uri/ /index.php?$query_string;
     }