From 78e891f06ab94ef478de1c431157f7d634fe4ac8 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Sun, 22 Mar 2026 13:53:01 +0100
Subject: Add session cookie hardening and Nginx security headers

Set httponly, samesite=Lax, and auto-detected secure flag on session
cookies. Add X-Content-Type-Options, X-Frame-Options, and
Content-Security-Policy headers in Nginx. Document both in README.
---
 docker/nginx/default.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'docker/nginx')

diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
index 44ebf62..e778b44 100644
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -4,6 +4,14 @@ server {
     root /var/www/html/public;
     index index.php;
 
+    # Prevent browsers from MIME-sniffing a response away from the declared type
+    add_header X-Content-Type-Options "nosniff" always;
+    # Block the page from being loaded inside an iframe (prevents clickjacking)
+    add_header X-Frame-Options "DENY" always;
+    # Only allow resources from the same origin — inline styles are needed for
+    # GD-generated image previews, media-src blob: for webcam capture
+    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; media-src 'self' blob:;" always;
+
     location / {
         try_files $uri $uri/ /index.php?$query_string;
     }
-- 
cgit v1.2.3