From 0729d089f8b959869a9f9e1f16db60d9c656b5bf Mon Sep 17 00:00:00 2001
From: "Reid \"reidlab" <reidlab325@gmail.com>
Date: Wed, 8 May 2024 22:58:04 -0700
Subject: [PATCH] change nginx headers

---
 modules/services/nginx-conf.nix | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix
index 84a40ab..3c34ad8 100755
--- a/modules/services/nginx-conf.nix
+++ b/modules/services/nginx-conf.nix
@@ -77,6 +77,8 @@ in {
       in ''
         lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
 
+        # add hsts header with preloading to https reqeusts
+        # adding this header to http requests is 
         map $scheme $hsts_header {
             https   "max-age=31536000; includeSubdomains; preload";
         }
@@ -84,14 +86,22 @@ in {
 
         # Enable CSP for your services.
         # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-        # ^ this above breaks forgejo/gitea so
 
+        # Minimize information leaked to other domains
         add_header 'Referrer-Policy' 'origin-when-cross-origin';
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
+
+        # Disable embedding as a frame
+        #add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        #add_header X-Content-Type-Options nosniff;
+
+        # Enable XSS protection of the browser.
+        # May be unnecessary when CSP is configured properly (see above)
+        #add_header X-XSS-Protection "1; mode=block";
 
         # This might create errors
-        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+        #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 
         ${realIpsFromList cfipv4}
         ${realIpsFromList cfipv6}