Sutty nginx config #96
Conversation
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||
| add_header 'X-Frame-Options' 'ALLOW-FROM *'; | ||
| add_header X-Frame-Options "sameorigin"; |
There was a problem hiding this comment.
I think we want to allow iframes for sites by default
There was a problem hiding this comment.
this only forbids the site to be iframed elsewhere (like a malicious site hijacking clicks)
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||
| add_header 'X-Frame-Options' 'ALLOW-FROM *'; | ||
| add_header X-Frame-Options "sameorigin"; | ||
| add_header X-XSS-Protection "1; mode=block"; |
There was a problem hiding this comment.
I think we want to support XSS for stuff like p2p web apps
| add_header X-Frame-Options "sameorigin"; | ||
| add_header X-XSS-Protection "1; mode=block"; | ||
| add_header X-Content-Type-Options "nosniff"; | ||
| add_header Referrer-Policy "strict-origin-when-cross-origin"; |
There was a problem hiding this comment.
Referrer could be good for our analytics when users navigate to DP from the thing in the footer, is there a way to support that still?
There was a problem hiding this comment.
This will instruct browsers to set the referer only to the origin if the destination is secure, so third party websites can know from where the visit came from but not the particular page
| @@ -12,26 +12,36 @@ server { | |||
|
|
|||
| error_page 404 /404.html; | |||
|
|
|||
| add_header Cache-Control no-cache; | |||
There was a problem hiding this comment.
If you want caches to always check for content updates while reusing stored content, no-cache is the directive to use. It does this by requiring caches to revalidate each request with the origin server.
Note that no-cache does not mean "don't cache". no-cache allows caches to store a response but requires them to revalidate it before reuse. If the sense of "don't cache" that you want is actually "don't store", then no-store is the directive to use.
in practice since nginx is adding etag headers to every static file, it'll return 304 for cached urls so you save the body bytes, but still need an open connection to the webserver. it's a better alternative than guessing how long you need to cache and get asked why a very very very recent change doesn't show up yet.
There was a problem hiding this comment.
i made edits to the above comment
Co-authored-by: Mauve Signweaver <[email protected]>
hyphacoop/distributed-press-organizing#155
most are safety options but the tls config and gzip pre compression are performance optimizations too. i didn't add the brotli_static because debian doesn't seem to have it for nginx
edit: also caching