diff options
| author | Paul Duncan <pabs@pablotron.org> | 2025-06-07 17:58:09 -0400 |
|---|---|---|
| committer | Paul Duncan <pabs@pablotron.org> | 2025-06-07 17:58:09 -0400 |
| commit | ecc15b6adf841cf8140bcfad90dd356ba0d30194 (patch) | |
| tree | 222ff400436e33472263f896e978ad4db1cd1903 | |
| parent | 1bc96a948d58018afdd63df8750b63f0baeb9ea0 (diff) | |
| download | pablotron.org-ecc15b6adf841cf8140bcfad90dd356ba0d30194.tar.xz pablotron.org-ecc15b6adf841cf8140bcfad90dd356ba0d30194.zip | |
content/articles/site-backend.md: "Onion Service": add caching and security headers to nginx config
| -rw-r--r-- | content/articles/site-backend.md | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/content/articles/site-backend.md b/content/articles/site-backend.md index a4ff842..e096e0d 100644 --- a/content/articles/site-backend.md +++ b/content/articles/site-backend.md @@ -574,6 +574,35 @@ server { # enable compression, compress common types gzip on; gzip_types text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml; + + # security headers (see comments in apache config) + add_header "X-Frame-Options" "SAMEORIGIN"; + add_header "X-Content-Type-Options" "nosniff"; + add_header "Cross-Origin-Opener-Policy" "same-origin"; + add_header "Cross-Origin-Resource-Policy" "same-origin"; + add_header "Access-Control-Allow-Origin" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion"; + add_header "Referrer-Policy" "strict-origin-when-cross-origin"; + add_header "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"; + + # different from apache; POST method not needed + add_header "Access-Control-Allow-Methods" "GET, HEAD, OPTIONS"; + + location ~ \.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$ { + # cache images, stylesheets, and javascript for 1 year + # note: caching makes a BIG difference when browsing via tor + expires 1y; + } + + location ~ \.svg$ { + # relax Content-Security-Policy for SVGs to allow + # `style-src-attr 'unsafe-inline'` + add_header "Content-Security-Policy" "default-src 'self'; img-src 'self'; style-src-attr 'self' 'unsafe-inline'"; + } + + location ^~ \.svg$ { + # default Content-Security-Policy + add_header "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"; + } } ``` @@ -655,6 +684,8 @@ published. - 2025-04-26: Document [PNG][] [favicon][]. - 2025-05-12: Document [htmltest][] and [goaccess][]. - 2025-05-18: Add [Onion Service](#onion-service "Onion Service") section. +- 2025-06-07: Add caching and security headers to [nginx][] config in + [Onion Service](#onion-service "Onion Service") section. [s-hugo-configuration]: #hugo-configuration "Hugo Configuration" |