PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
11f429eb72436845f94b65dfeea782840c133a78
xamxam/nginx/docs/SECURITY_HEADERS.md
Pontoporeia 507f3eb704 Consolidate nginx docs and scripts, update paths
2026-04-15 14:24:44 +02:00

1.9 KiB
Raw Blame History

Security Headers — nginx/posterg.conf

Headers in use (main server block — all pages)

Header Value Purpose
X-Frame-Options SAMEORIGIN Prevent clickjacking
X-Content-Type-Options nosniff Prevent MIME-type sniffing
Referrer-Policy strict-origin-when-cross-origin Limit referrer leakage
Permissions-Policy geolocation=(), microphone=(), camera=() Disable unused browser APIs

Headers in use (/admin/ location block)

Header Value Purpose
Content-Security-Policy default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none'; Restrict resource origins; block embedding
X-Robots-Tag noindex, nofollow Prevent search-engine indexing of admin

These were previously declared in public/admin/.htaccess as Apache mod_headers directives, which nginx silently ignores. They are now properly configured in nginx/posterg.conf. enforced directly; see HTACCESS_TO_NGINX.md for the full migration log.

Intentionally omitted headers

X-XSS-Protection

This header was removed (was "1; mode=block").

Why: X-XSS-Protection is deprecated and removed from all modern browsers (Chrome 78+, Firefox never implemented it, Edge dropped it). Worse, the mode=block behaviour can be actively exploited to expose response bodies that would otherwise be blocked. Sending it provides no protection and may introduce risk.

Correct mitigation: a proper Content-Security-Policy header (now done for /admin/; public-page CSP is todo item #11).

Pending headers

Header Scope Status
Content-Security-Policy Public pages (non-admin) todo item #11
Reference in New Issue View Git Blame Copy Permalink