diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-22 13:53:01 +0100 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-22 13:53:01 +0100 |
| commit | 78e891f06ab94ef478de1c431157f7d634fe4ac8 (patch) | |
| tree | 028aae8f1277470d704d38d78d8628311dc9c640 /docker | |
| parent | de41aa4531df4515de93eba685cfeb03227a5d4e (diff) | |
| download | camagru-78e891f06ab94ef478de1c431157f7d634fe4ac8.tar.gz camagru-78e891f06ab94ef478de1c431157f7d634fe4ac8.zip | |
Add session cookie hardening and Nginx security headers
Set httponly, samesite=Lax, and auto-detected secure flag on session
cookies. Add X-Content-Type-Options, X-Frame-Options, and
Content-Security-Policy headers in Nginx. Document both in README.
Diffstat (limited to 'docker')
| -rw-r--r-- | docker/nginx/default.conf | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf index 44ebf62..e778b44 100644 --- a/docker/nginx/default.conf +++ b/docker/nginx/default.conf @@ -4,6 +4,14 @@ server { root /var/www/html/public; index index.php; + # Prevent browsers from MIME-sniffing a response away from the declared type + add_header X-Content-Type-Options "nosniff" always; + # Block the page from being loaded inside an iframe (prevents clickjacking) + add_header X-Frame-Options "DENY" always; + # Only allow resources from the same origin — inline styles are needed for + # GD-generated image previews, media-src blob: for webcam capture + add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; media-src 'self' blob:;" always; + location / { try_files $uri $uri/ /index.php?$query_string; } |