Set base CSP, security headers and set column permissions for tables

2025-11-22 10:51:36 +01:00 · 2024-09-24 16:06:24 +02:00
parent 1e9f076bc7
commit e87ea3cfb5
7 changed files with 102 additions and 81 deletions
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -161,6 +161,12 @@ in
        limit_req_zone $binary_remote_addr zone=requestLimit:10m rate=5r/s;
        limit_req_status 429;
        limit_req zone=requestLimit burst=20 nodelay;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(self),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(self),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),xr-spatial-tracking=(),clipboard-read=(self),clipboard-write=(self),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=(),unload=()" always;
      '';

      virtualHosts = {
@@ -189,7 +195,7 @@ in
            };
          };
        };
-        "~^(?<subdomain>.+)\\.${lib.strings.escapeRegex cfg.domain}$" = {
+        "~^(?<subdomain>.+)\\.${cfg.domain}$" = {
          useACMEHost = cfg.domain;
          forceSSL = true;
          locations = {