Set HTTP security headers.

See https://securityheaders.io .

3 files changed, 6 insertions, 0 deletions

diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
index 6df1615..6cbea18 100644
--- a/roles/common-web/files/etc/nginx/sites-available/default
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -8,4 +8,5 @@ server {
     # serve ACME challenges on all virtual hosts
     # /!\ need to be served individually for each explicit virtual host as well!
     include snippets/acme-challenge.conf;
+    include snippets/headers.conf;
 }
diff --git a/roles/common-web/files/etc/nginx/snippets/headers.conf b/roles/common-web/files/etc/nginx/snippets/headers.conf
new file mode 100644
index 0000000..60e5ace
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/headers.conf
@@ -0,0 +1,4 @@
+# https://securityheaders.io/
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index fb6bb2d..02b7134 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -19,6 +19,7 @@
     - fastcgi-php.conf
     - fastcgi-php-ssl.conf
     - ssl.conf
+    - headers.conf
     - acme-challenge.conf
   notify:
     - Restart Nginx