Per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection X-Xss-Protection should be set explicitly to 0 as it opens up additonal vulnerabilities by setting it. Additionally, remove the X-Powered-By header and Last-Modified for opsec. Set X-Content-Type-Options to nosniff as well.
parent
a2b157c607
commit
a9a1398a5a
|
@ -28,13 +28,19 @@ https://[YOUR-DOMAIN]:443 {
|
||||||
# Enable HTTP Strict Transport Security (HSTS)
|
# Enable HTTP Strict Transport Security (HSTS)
|
||||||
Strict-Transport-Security "max-age=31536000;"
|
Strict-Transport-Security "max-age=31536000;"
|
||||||
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
# Enable cross-site filter (XSS) and tell browser to block detected attacks
|
||||||
X-XSS-Protection "1; mode=block"
|
X-XSS-Protection "0"
|
||||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||||
X-Frame-Options "DENY"
|
X-Frame-Options "DENY"
|
||||||
# Prevent search engines from indexing (optional)
|
# Prevent search engines from indexing (optional)
|
||||||
|
# Disallow sniffing of X-Content-Type-Options
|
||||||
|
X-Content-Type-Options "nosniff"
|
||||||
X-Robots-Tag "none"
|
X-Robots-Tag "none"
|
||||||
# Server name removing
|
# Server name removing
|
||||||
-Server
|
-Server
|
||||||
|
# Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
|
||||||
|
-X-Powered-By
|
||||||
|
# Remove Last-Modified because etag is the same and is as effective
|
||||||
|
-Last-Modified
|
||||||
}
|
}
|
||||||
# The negotiation endpoint is also proxied to Rocket
|
# The negotiation endpoint is also proxied to Rocket
|
||||||
reverse_proxy /notifications/hub/negotiate vaultwarden:80
|
reverse_proxy /notifications/hub/negotiate vaultwarden:80
|
||||||
|
|
Loading…
Reference in New Issue