From 438c859a243b2202cb0c6f12f6278f980834691b Mon Sep 17 00:00:00 2001
From: Alex Kotov <kotovalexarian@gmail.com>
Date: Thu, 22 Oct 2020 14:46:09 +0500
Subject: [PATCH] Fix Nginx config

---
 roles/website/templates/nginx/website.conf | 31 +++++++++++++++-------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/roles/website/templates/nginx/website.conf b/roles/website/templates/nginx/website.conf
index ee36d7b..fb4d488 100644
--- a/roles/website/templates/nginx/website.conf
+++ b/roles/website/templates/nginx/website.conf
@@ -15,14 +15,14 @@ server {
   add_header X-Content-Type-Options "nosniff" always;
   add_header X-Frame-Options "SAMEORIGIN" always;
 
-  return 301 https://$host$request_uri;
+  return 301 https://{{ fedihub__website__host }}$request_uri;
 }
 
 server {
   listen 443      ssl;
   listen [::]:443 ssl;
 
-  server_name {{ fedihub__website__host }} www.{{ fedihub__website__host }}};
+  server_name www.{{ fedihub__website__host }};
 
   ssl_certificate     {{ fedihub__website__nginx__ssl_cert }};
   ssl_certificate_key {{ fedihub__website__nginx__ssl_key }};
@@ -38,15 +38,28 @@ server {
   add_header X-Content-Type-Options "nosniff" always;
   add_header X-Frame-Options "SAMEORIGIN" always;
 
-  add_header Last-Modified $date_gmt;
-  add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+  return 301 https://{{ fedihub__website__host }}$request_uri;
+}
 
-  client_max_body_size 100M;
+server {
+  listen 443      ssl;
+  listen [::]:443 ssl;
 
-  if_modified_since off;
-  expires off;
-  etag off;
-  sendfile off;
+  server_name {{ fedihub__website__host }};
+
+  ssl_certificate     {{ fedihub__website__nginx__ssl_cert }};
+  ssl_certificate_key {{ fedihub__website__nginx__ssl_key }};
+
+  set $CSP "";
+  set $CSP "${CSP}object-src 'none';";
+  set $CSP "${CSP}frame-src 'none';";
+  set $CSP "${CSP}connect-src 'self';";
+
+  add_header Content-Security-Policy $CSP always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
 
   root {{ fedihub__website__public_dir }};
   index index.html;