From d4a4964a6bf29b074dd95ff17789a2bb83c999f4 Mon Sep 17 00:00:00 2001
From: Panayiotis Savva <psavva@gmail.com>
Date: Thu, 14 Sep 2023 14:42:41 +0300
Subject: [PATCH] security policy for the reverse proxy

---
 docker/SERVER/nginx.conf | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/docker/SERVER/nginx.conf b/docker/SERVER/nginx.conf
index 7cebd18..1464a48 100644
--- a/docker/SERVER/nginx.conf
+++ b/docker/SERVER/nginx.conf
@@ -6,3 +6,24 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
 proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+## Security Configuration
+
+# Do not allow the browser to render the page inside an frame or iframe and avoid clickjacking
+# Allow iframes only from the same origin by setting to 'SAMEORIGIN'
+add_header  X-Frame-Options SAMEORIGIN;
+
+# Disable content-type sniffing
+add_header  X-Content-Type-Options nosniff;
+
+# Cross-site scripting (XSS) filter
+add_header  X-XSS-Protection "1; mode=block";
+
+# Content Security Policy (CSP) 
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'none'; object-src 'none';";
+
+# Enable HSTS(HTTP Strict Transport Security)
+add_header  Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+
+# Do not leak server info such as the nginx version number in error pages or the server headers
+server_tokens off;