|
|
|
@ -11,6 +11,15 @@ map $sent_http_content_type $expires_type_map { |
|
|
|
~image/ max; |
|
|
|
} |
|
|
|
|
|
|
|
map $request_uri $csp_header { |
|
|
|
# The default CSP: |
|
|
|
# - "img-src data:" is needed for Spectre.css icons |
|
|
|
default "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"; |
|
|
|
# The CSP for the Stripe donation page: |
|
|
|
# - "https://js.stripe.com" in script-src and frame-src is needed for Stripe |
|
|
|
"~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"; |
|
|
|
} |
|
|
|
|
|
|
|
server { |
|
|
|
# block bots that don't obey robots.txt |
|
|
|
if ($http_user_agent ~* (SemrushBot)) { |
|
|
|
@ -39,10 +48,7 @@ server { |
|
|
|
{% endif %} |
|
|
|
|
|
|
|
{% if nginx_enable_csp %} |
|
|
|
# Content Security Policy: |
|
|
|
# - "img-src data:" is needed for Spectre.css icons |
|
|
|
# - "https://js.stripe.com" in script-src and frame-src is needed for Stripe |
|
|
|
add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always; |
|
|
|
add_header Content-Security-Policy $csp_header always; |
|
|
|
{% endif %} |
|
|
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always; |
|
|
|
|
Bauke
10 months ago
Deimos