From: shibayashi Date: Tue, 28 Aug 2018 23:28:10 +0000 (+0200) Subject: installation/pleroma.vcl: Add HTTP security headers X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=3487e15963b04c0d654f2faeedc17d9fcb9a6b0d;p=akkoma installation/pleroma.vcl: Add HTTP security headers --- diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 63c1cb74d..ad5bb3c6c 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -119,3 +119,13 @@ sub vcl_pipe { set bereq.http.connection = req.http.connection; } } + +sub vcl_deliver { + set resp.http.X-Frame-Options = "DENY"; + set resp.http.X-XSS-Protection = "1; mode=block"; + set resp.http.X-Content-Type-Options = "nosniff"; + set resp.http.Referrer-Policy = "same-origin"; + set resp.http.Content-Security-Policy = "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://" + req.http.host + "; upgrade-insecure-requests;"; + # Uncomment this only after you get HTTPS working. + # set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains"; +} \ No newline at end of file