feat(nginx): add security headers with per-domain CSP #1

Merged

ashie merged 1 commit from franz-kafka/nixos-vps:feat/security-headers into main

2026-03-19 14:04:45 +00:00

Author	SHA1	Message	Date
Franz Kafka	fbea02867e	feat(nginx): add security headers with per-domain CSP - Add HSTS (6 months, includeSubDomains, preload-ready) - Add X-Content-Type-Options: nosniff - Add Permissions-Policy (disable camera/mic/geolocation) - Add Cross-Origin-Resource-Policy: same-origin - Add Cross-Origin-Opener-Policy: same-origin - Add configurable Content-Security-Policy per domain Per-service CSP tuning: - SearXNG: null (handles its own CSP in settings.yml) - Forgejo: relaxed (unsafe-inline/eval for code highlighting) - Vaultwarden: relaxed (unsafe-eval for WebCrypto vault) Fixes: missing CSP, HSTS, X-Content-Type-Options headers	2026-03-19 13:42:41 +00:00

Author

SHA1

Message

Date

Franz Kafka

fbea02867e

feat(nginx): add security headers with per-domain CSP

- Add HSTS (6 months, includeSubDomains, preload-ready)
- Add X-Content-Type-Options: nosniff
- Add Permissions-Policy (disable camera/mic/geolocation)
- Add Cross-Origin-Resource-Policy: same-origin
- Add Cross-Origin-Opener-Policy: same-origin
- Add configurable Content-Security-Policy per domain

Per-service CSP tuning:
- SearXNG: null (handles its own CSP in settings.yml)
- Forgejo: relaxed (unsafe-inline/eval for code highlighting)
- Vaultwarden: relaxed (unsafe-eval for WebCrypto vault)

Fixes: missing CSP, HSTS, X-Content-Type-Options headers

2026-03-19 13:42:41 +00:00