diff options
| -rw-r--r-- | hosts/vps/git.nix | 2 | ||||
| -rw-r--r-- | hosts/vps/website.nix | 26 |
2 files changed, 28 insertions, 0 deletions
diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix index 9d50865..cf05aae 100644 --- a/hosts/vps/git.nix +++ b/hosts/vps/git.nix @@ -21,6 +21,8 @@ caddy = { virtualHosts."http://100.67.217.90".extraConfig = '' bind 100.67.217.90 + ${config.website.defaultHeaders} + header -Server handle /cgit.png { root * ${pkgs.cgit}/cgit file_server diff --git a/hosts/vps/website.nix b/hosts/vps/website.nix index fd7f71c..5d767c5 100644 --- a/hosts/vps/website.nix +++ b/hosts/vps/website.nix @@ -1,8 +1,34 @@ { pkgs, config, + lib, ... }: { + options.website.defaultHeaders = lib.mkOption { + type = lib.types.str; + default = '' + header { + -Server + # disable indexing by search engines + + X-Robots-Tag "noindex, nofollow" + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=31536000; + + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # clickjacking protection + X-Frame-Options DENY + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + } + ''; + }; config = { services.caddy = { enable = true; |