sec: Move the CSP to a header on the nginx

frontend/src/index.hbs

@@ -4,7 +4,6 @@
     <title>Lateinicus</title>
 
     <meta charset="UTF-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://unpkg.com; img-src 'self'; img-src 'self' https:; font-src https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';">
     <meta
       name="viewport"
       content="minimum-scale=1, initial-scale=1, width=device-width, shrink-to-fit=no"

server/nginx.conf

@@ -21,13 +21,16 @@ http {
             listen 443 ssl http2;
             add_header Strict-Transport-Security "max-age=31536000" always;
 
+            # Global CSP
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://unpkg.com; img-src 'self' https:; font-src https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';" always;
+
             # SSL configuration
             ssl_certificate     /etc/ssl/lateinicus.pem;
             ssl_certificate_key /etc/ssl/lateinicus.key;
             ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
             ssl_ciphers         HIGH:!aNULL:!MD5;
-            ssl_session_cache   shared:SSL:10m;
-            ssl_session_timeout 10m;
+            ssl_session_cache   shared:SSL:30m;
+            ssl_session_timeout 20m;
             keepalive_timeout   70;
 
             # Enable gzip compression