Skip to content

Instantly share code, notes, and snippets.

@Yinchie
Last active February 17, 2017 22:51
Show Gist options
  • Save Yinchie/4fcc380528198c4ba476d556fa3d4636 to your computer and use it in GitHub Desktop.
Save Yinchie/4fcc380528198c4ba476d556fa3d4636 to your computer and use it in GitHub Desktop.
Only applying this config to the main website "location" and not on static assets. Saves bandwidth, since the headers only have an impact during the website load.
add_header X-UA-Compatible "IE=Edge";
# Enable reflective cross-site-scripting protection filter in browsers.
add_header X-XSS-Protection "1; mode=block";
# Strengthens the implementation of TLS by getting the User Agent to enforce the use of HTTPS.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# Tell the browser whether you want to allow your site to be framed or not.
# By preventing a browser from framing your site you can defend against attacks like clickjacking.
add_header X-Frame-Options "SAMEORIGIN";
# Prevents browsers to mime-sniff the content-type of a response away from the one being declared by the server.
add_header X-Content-Type-Options "nosniff";
# Allow the site to control how much information the browser includes with navigations away from a document and should be set by all sites
add_header Referrer-Policy "no-referrer-when-downgrade";
# By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
add_header Content-Security-Policy "default-src 'self' cdn.itchy.nl; script-src 'self' data: gist.github.com connect.facebook.net 'sha256-WlCNIcDYOWEbpNn1anQINNBK51F9CAJXMp6KwbaNhwE='; style-src 'self' data: 'unsafe-inline' assets-cdn.github.com; img-src 'self' data: assets-cdn.github.com www.facebook.com; font-src 'self' data:; child-src 'self' www.youtube.com gaming.youtube.com player.twitch.tv www.facebook.com connect.facebook.net staticxx.facebook.com; upgrade-insecure-requests; block-all-mixed-content; disown-opener; reflected-xss block; base-uri https://itchy.nl; referrer no-referrer-when-downgrade";
# Protects site from MiTM attacks using rogue X.509 certificates.
# By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
# Let's Encrypt Authority X3, ec-secp384r1.csr, rsa-2048.csr, backup EC, backup RSA
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="JUsMuoa8gRoKh0iUOn6Xh0rQsTAyrOmS5YbXOsAx9RI="; pin-sha256="DEpuCnuD202U2HOiXYEH6qvWdAyol9yI3l4KtjXRu6s="; pin-sha256="Pb3UYlTzcs3f6b5ENgh1oxBVL+tP5GHiN0yslKFtVOw="; pin-sha256="i3ryTV5o5d2n+A+hpOUp70qsD2CQbhA5vpOw1ODCUes="; max-age=2592000' always;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment