From 3487e15963b04c0d654f2faeedc17d9fcb9a6b0d Mon Sep 17 00:00:00 2001 From: shibayashi Date: Wed, 29 Aug 2018 01:28:10 +0200 Subject: [PATCH] installation/pleroma.vcl: Add HTTP security headers --- installation/pleroma.vcl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/installation/pleroma.vcl b/installation/pleroma.vcl index 63c1cb74d..ad5bb3c6c 100644 --- a/installation/pleroma.vcl +++ b/installation/pleroma.vcl @@ -119,3 +119,13 @@ sub vcl_pipe { set bereq.http.connection = req.http.connection; } } + +sub vcl_deliver { + set resp.http.X-Frame-Options = "DENY"; + set resp.http.X-XSS-Protection = "1; mode=block"; + set resp.http.X-Content-Type-Options = "nosniff"; + set resp.http.Referrer-Policy = "same-origin"; + set resp.http.Content-Security-Policy = "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://" + req.http.host + "; upgrade-insecure-requests;"; + # Uncomment this only after you get HTTPS working. + # set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains"; +} \ No newline at end of file