commit d400040b3403bc687c42843da9a179edbec42b88 parent 934d4cc588cf56656351a8336cf33fff8743642e Author: mtmn <miro@haravara.org> Date: Wed, 10 Jun 2026 21:12:12 +0200 caddy: set proper headers for services Diffstat:
| M | modules/services/corpus.nix | | | 9 | +++++++++ |
| M | modules/services/dex.nix | | | 9 | +++++++++ |
| M | modules/services/searxng.nix | | | 7 | +++++++ |
3 files changed, 25 insertions(+), 0 deletions(-)
diff --git a/modules/services/corpus.nix b/modules/services/corpus.nix @@ -75,6 +75,15 @@ in { services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' encode zstd gzip + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + X-Frame-Options "DENY" + Referrer-Policy "strict-origin-when-cross-origin" + Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'" + -Server + } + reverse_proxy 127.0.0.1:${toString cfg.port} ''; }; diff --git a/modules/services/dex.nix b/modules/services/dex.nix @@ -100,6 +100,15 @@ in { }; services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + X-Frame-Options "DENY" + Referrer-Policy "strict-origin-when-cross-origin" + Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'" + -Server + } + reverse_proxy ${cfg.address} ''; }; diff --git a/modules/services/searxng.nix b/modules/services/searxng.nix @@ -51,6 +51,13 @@ in { services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' ${haravara.mkAuthImport cfg.authLabel} + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + X-Frame-Options "DENY" + Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'" + -Server + } reverse_proxy ${cfg.bindAddress}:${toString cfg.port} ''; };