19 lines
500 B
Nix
19 lines
500 B
Nix
{ config, lib, ... }:
|
|
|
|
{
|
|
options.sbruder.nginx.hardening.enable = lib.mkEnableOption "nginx hardening";
|
|
|
|
config = lib.mkIf config.sbruder.nginx.hardening.enable {
|
|
services.nginx.commonHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
add_header Referrer-Policy strict-origin;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
'';
|
|
};
|
|
}
|