Add security-related HTTP headers to static web site and web-app.

GUI · GUI · commit f15ac87304aa · 2016-12-14T22:46:42.000-07:00
Adds the following headers to the static website content and the web-app
responses (but doesn't modify any of the headers for API responses):

- X-XSS-Protection
- X-Frame-Options
- X-Content-Type-Options
diff --git a/templates/etc/nginx/router.conf.mustache b/templates/etc/nginx/router.conf.mustache
@@ -207,6 +207,12 @@ http {
     server_name _;
 
     root {{static_site.build_dir}};
+
+    # Security headers
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
+    more_set_headers "X-XSS-Protection: 1; mode=block";
+    more_set_headers "X-Frame-Options: DENY";
+    more_set_headers "X-Content-Type-Options: nosniff";
   }
 
   map $http_accept_encoding $normalized_accept_encoding {
@@ -266,6 +272,12 @@ http {
     set $x_api_umbrella_request_id $http_x_api_umbrella_request_id;
     root {{web.dir}}/public;
 
+    # Security headers
+    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
+    more_set_headers "X-XSS-Protection: 1; mode=block";
+    more_set_headers "X-Frame-Options: DENY";
+    more_set_headers "X-Content-Type-Options: nosniff";
+
     {{^_development_env?}}
     location /web-assets/ {
       alias {{_embedded_root_dir}}/apps/core/current/build/dist/web-app-assets/web-assets/;
