From 7df97d3d12c803437fd49a7b4050a940c8b62678 Mon Sep 17 00:00:00 2001 From: tzlil Date: Sat, 18 Feb 2023 15:05:37 +0200 Subject: add default headers to caddy config and git vhost --- hosts/vps/git.nix | 2 ++ hosts/vps/website.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) (limited to 'hosts/vps') diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix index 9d50865..cf05aae 100644 --- a/hosts/vps/git.nix +++ b/hosts/vps/git.nix @@ -21,6 +21,8 @@ caddy = { virtualHosts."http://100.67.217.90".extraConfig = '' bind 100.67.217.90 + ${config.website.defaultHeaders} + header -Server handle /cgit.png { root * ${pkgs.cgit}/cgit file_server diff --git a/hosts/vps/website.nix b/hosts/vps/website.nix index fd7f71c..5d767c5 100644 --- a/hosts/vps/website.nix +++ b/hosts/vps/website.nix @@ -1,8 +1,34 @@ { pkgs, config, + lib, ... }: { + options.website.defaultHeaders = lib.mkOption { + type = lib.types.str; + default = '' + header { + -Server + # disable indexing by search engines + + X-Robots-Tag "noindex, nofollow" + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=31536000; + + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # clickjacking protection + X-Frame-Options DENY + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + } + ''; + }; config = { services.caddy = { enable = true; -- cgit 1.4.1