sec: Move the CSP to a header on the nginx

2018-10-07 13:49:52 +02:00 · 2018-10-07 13:49:52 +02:00 · e398417c99
commit e398417c99
parent 3e3b944e48
2 changed files with 5 additions and 3 deletions
--- a/frontend/src/index.hbs
+++ b/frontend/src/index.hbs
@ -4,7 +4,6 @@
    <title>Lateinicus</title>

    <meta charset="UTF-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://unpkg.com; img-src 'self'; img-src 'self' https:; font-src https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';">
    <meta
      name="viewport"
      content="minimum-scale=1, initial-scale=1, width=device-width, shrink-to-fit=no"
--- a/server/nginx.conf
+++ b/server/nginx.conf
@ -21,13 +21,16 @@ http {
            listen 443 ssl http2;
            add_header Strict-Transport-Security "max-age=31536000" always;

+            # Global CSP
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://unpkg.com; img-src 'self' https:; font-src https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';" always;
+
            # SSL configuration
            ssl_certificate     /etc/ssl/lateinicus.pem;
            ssl_certificate_key /etc/ssl/lateinicus.key;
            ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers         HIGH:!aNULL:!MD5;
-            ssl_session_cache   shared:SSL:10m;
-            ssl_session_timeout 10m;
+            ssl_session_cache   shared:SSL:30m;
+            ssl_session_timeout 20m;
            keepalive_timeout   70;

            # Enable gzip compression