penal-colony/nixos-vps
2
0
Fork 1
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat(nginx): add security headers with per-domain CSP

Browse source 
- Add HSTS (6 months, includeSubDomains, preload-ready)
- Add X-Content-Type-Options: nosniff
- Add Permissions-Policy (disable camera/mic/geolocation)
- Add Cross-Origin-Resource-Policy: same-origin
- Add Cross-Origin-Opener-Policy: same-origin
- Add configurable Content-Security-Policy per domain

Per-service CSP tuning:
- SearXNG: null (handles its own CSP in settings.yml)
- Forgejo: relaxed (unsafe-inline/eval for code highlighting)
- Vaultwarden: relaxed (unsafe-eval for WebCrypto vault)

Fixes: missing CSP, HSTS, X-Content-Type-Options headers
This commit is contained in:
Franz Kafka 2026-03-19 13:42:41 +00:00
parent 6354a030f0
commit fbea02867e
4 changed files with 35 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/forgejo.nix
View file

@ -100,6 +100,8 @@ in
extraConfig = ''
client_max_body_size 512M;
'';
# Relaxed CSP for Forgejo — needs inline styles for code highlighting
contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' wss://${cfg.domain}; frame-ancestors 'self'";
};
# Open SSH port for Git