Add HSTS header at the origin (host-scoped, no includeSubDomains)
build-and-deploy / build (push) Failing after 13m53s
build-and-deploy / build (push) Failing after 13m53s
This commit is contained in:
@@ -2,8 +2,10 @@
|
|||||||
# that sets its own add_header (because add_header in a location REPLACES, not
|
# that sets its own add_header (because add_header in a location REPLACES, not
|
||||||
# merges, inherited headers — the classic nginx footgun).
|
# merges, inherited headers — the classic nginx footgun).
|
||||||
#
|
#
|
||||||
# HSTS + HTTP->HTTPS redirect are set at the Cloudflare edge (TLS terminates
|
# HSTS is set here at the origin (travels through the tunnel to the client) — host-scoped,
|
||||||
# there), so they are intentionally NOT here.
|
# NO includeSubDomains / preload (the *.bztmon.com wildcard points elsewhere, so forcing HTTPS
|
||||||
|
# on every subdomain would be dangerous). HTTP->HTTPS upgrade is handled by Cloudflare.
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||||
|
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; worker-src 'self'; manifest-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" always;
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; worker-src 'self'; manifest-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" always;
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
|||||||
Reference in New Issue
Block a user