nginx-harden-https.conf

# Shared TLS/SSL options for nginx vhosts - apply by adding something like
#        include /etc/nginx/harden-https.conf;
# in each HTTPS vhost section after mapping this file into the container.

# Strong ciphers reused from mig/shared/tlsserver.py
# based on intermediate configuration from https://ssl-config.mozilla.org
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# NOTE: we don't enable recommende OCSP stapling here due to self-signed cert

### This is a collection of additional security headers to add in nginx
# Some are inspired by
# https://www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx
#
# It might be useful to run a check with the versatile tools at
# https://observatory.mozilla.org

# NOTE: we added HSTS (ngx_http_headers_module is required)
add_header Strict-Transport-Security "max-age=31536000" always;

# NOTE: Set Content-Security-Policy to prevent iframe clickjacking as
# recommended by W3C and security scans.
add_header Content-Security-Policy "frame-ancestors 'self';" always;

# Additional hardening inspired by https://gist.github.com/plentz/6737338
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;

# TODO: consider enabling these but make sure they don't break functionality
#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; object-src 'none'";

# Recommended by https://securityheaders.com
add_header Referrer-Policy "strict-origin" always;