From 6dd4cc27edafc26e73d8998ab146235774d4abdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Sun, 10 Feb 2019 20:46:58 +0100 Subject: [PATCH] Switch from location directives to maps based on MIME-types * Expire * X-XSS-Protection * X-Frame-Options * X-UA-Compatible * Content-Security-Policy * Access-Control-Allow-Origin --- h5bp/basic.conf | 2 - h5bp/cross-origin/requests.conf | 2 +- h5bp/internet_explorer/x-ua-compatible.conf | 2 +- h5bp/location/cross-origin_images.conf | 18 ---- h5bp/location/cross-origin_web_fonts.conf | 19 ---- .../web_performance_cache_expiration.conf | 57 ------------ h5bp/security/content-security-policy.conf | 2 +- h5bp/security/x-frame-options.conf | 2 +- h5bp/security/x-xss-protection.conf | 3 +- h5bp/web_performance/cache_expiration.conf | 88 +++++++++++++++++++ nginx.conf | 55 ++++++++++++ 11 files changed, 148 insertions(+), 102 deletions(-) delete mode 100644 h5bp/location/cross-origin_images.conf delete mode 100644 h5bp/location/cross-origin_web_fonts.conf delete mode 100644 h5bp/location/web_performance_cache_expiration.conf create mode 100644 h5bp/web_performance/cache_expiration.conf diff --git a/h5bp/basic.conf b/h5bp/basic.conf index e2b8eac..fa23bee 100644 --- a/h5bp/basic.conf +++ b/h5bp/basic.conf @@ -3,5 +3,3 @@ include h5bp/internet_explorer/x-ua-compatible.conf; include h5bp/location/security_file_access.conf; -include h5bp/location/web_performance_cache_expiration.conf; -include h5bp/location/cross-origin_web_fonts.conf; diff --git a/h5bp/cross-origin/requests.conf b/h5bp/cross-origin/requests.conf index 7692fe9..052d087 100644 --- a/h5bp/cross-origin/requests.conf +++ b/h5bp/cross-origin/requests.conf @@ -16,4 +16,4 @@ # Allow access based on [sub]domain: # add_header Access-Control-Allow-Origin "subdomain.example.com"; -add_header Access-Control-Allow-Origin "*"; +add_header Access-Control-Allow-Origin $cors; diff --git a/h5bp/internet_explorer/x-ua-compatible.conf b/h5bp/internet_explorer/x-ua-compatible.conf index 64ea268..7fb1d25 100644 --- a/h5bp/internet_explorer/x-ua-compatible.conf +++ b/h5bp/internet_explorer/x-ua-compatible.conf @@ -16,4 +16,4 @@ # https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/ # https://msdn.microsoft.com/en-us/library/ff955275.aspx -add_header X-UA-Compatible "IE=Edge"; +add_header X-UA-Compatible $x_ua_compatible; diff --git a/h5bp/location/cross-origin_images.conf b/h5bp/location/cross-origin_images.conf deleted file mode 100644 index ed100b2..0000000 --- a/h5bp/location/cross-origin_images.conf +++ /dev/null @@ -1,18 +0,0 @@ -# ---------------------------------------------------------------------- -# | Cross-origin images | -# ---------------------------------------------------------------------- - -# Send the CORS header for images when browsers request it. -# -# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image -# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html - -location ~* \.(?:bmp|cur|gif|ico|jpe?g|png|svgz?|webp?)$ { - include h5bp/cross-origin/requests.conf; - - # Also, set cache rules for images. - # - # https://nginx.org/en/docs/http/ngx_http_core_module.html#location - access_log off; - expires 1M; -} diff --git a/h5bp/location/cross-origin_web_fonts.conf b/h5bp/location/cross-origin_web_fonts.conf deleted file mode 100644 index 3f700cd..0000000 --- a/h5bp/location/cross-origin_web_fonts.conf +++ /dev/null @@ -1,19 +0,0 @@ -# ---------------------------------------------------------------------- -# | Cross-origin web fonts | -# ---------------------------------------------------------------------- - -# Allow cross-origin access to web fonts. -# -# https://developers.google.com/fonts/docs/troubleshooting - -location ~* \.(?:eot|otf|tt[cf]|woff2?)$ { - include h5bp/cross-origin/requests.conf; - - # Also, set cache rules for web fonts. - # - # https://nginx.org/en/docs/http/ngx_http_core_module.html#location - # https://github.com/h5bp/server-configs/issues/85 - # https://github.com/h5bp/server-configs/issues/86 - access_log off; - expires 1M; -} diff --git a/h5bp/location/web_performance_cache_expiration.conf b/h5bp/location/web_performance_cache_expiration.conf deleted file mode 100644 index cdb2596..0000000 --- a/h5bp/location/web_performance_cache_expiration.conf +++ /dev/null @@ -1,57 +0,0 @@ -# ---------------------------------------------------------------------- -# | Cache expiration | -# ---------------------------------------------------------------------- - -# Serve resources with far-future expiration date. -# -# (!) If you don't control versioning with filename-based -# cache busting, you should consider lowering the cache times -# to something like one week. -# -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires -# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires - -# No default expire rule. This config mirrors that of apache as outlined in the -# html5-boilerplate .htaccess file. However, nginx applies rules by location, -# the apache rules are defined by type. A consequence of this difference is that -# if you use no file extension in the url and serve html, with apache you get an -# expire time of 0s, with nginx you'd get an expire header of one month in the -# future (if the default expire rule is 1 month). Therefore, do not use a -# default expire rule with nginx unless your site is completely static - -# Documents -location ~* \.(?:manifest|appcache|html?|xml|json)$ { - expires 0; -} - -# Feeds -location ~* \.(?:rss|atom)$ { - expires 1h; -} - -# Media files -location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ { - access_log off; - expires 1M; -} - -# Media: svgz files are already compressed. -location ~* \.svgz$ { - access_log off; - gzip off; - expires 1M; -} - -# CSS and JavaScript -location ~* \.(?:css|js)$ { - expires 1y; - access_log off; -} - -# Web fonts -# If you are NOT using cross-domain-fonts.conf, uncomment the following directive -# location ~* \.(?:eot|otf|tt[cf]|woff2?)$ { -# expires 1M; -# access_log off; -# } diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index fb36a5e..f5a92e6 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -20,4 +20,4 @@ # https://content-security-policy.com/ # https://www.html5rocks.com/en/tutorials/security/content-security-policy/ -add_header Content-Security-Policy "script-src 'self'; object-src 'self'" always; +add_header Content-Security-Policy $content_security_policy always; diff --git a/h5bp/security/x-frame-options.conf b/h5bp/security/x-frame-options.conf index f0a5e9e..6f93108 100644 --- a/h5bp/security/x-frame-options.conf +++ b/h5bp/security/x-frame-options.conf @@ -33,4 +33,4 @@ # https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/ # https://www.owasp.org/index.php/Clickjacking -add_header X-Frame-Options DENY always; +add_header X-Frame-Options $x_frame_options always; diff --git a/h5bp/security/x-xss-protection.conf b/h5bp/security/x-xss-protection.conf index 71a5154..8ebc061 100644 --- a/h5bp/security/x-xss-protection.conf +++ b/h5bp/security/x-xss-protection.conf @@ -35,5 +35,4 @@ # https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/ # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 -# (1) (2) -add_header X-XSS-Protection "1; mode=block" always; +add_header X-XSS-Protection $x_xss_protection always; diff --git a/h5bp/web_performance/cache_expiration.conf b/h5bp/web_performance/cache_expiration.conf new file mode 100644 index 0000000..84b7aed --- /dev/null +++ b/h5bp/web_performance/cache_expiration.conf @@ -0,0 +1,88 @@ +# ---------------------------------------------------------------------- +# | Cache expiration | +# ---------------------------------------------------------------------- + +# Serve resources with far-future expiration date. +# +# (!) If you don't control versioning with filename-based +# cache busting, you should consider lowering the cache times +# to something like one week. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires +# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires + +map $sent_http_content_type $expires { + default 1M; + + # CSS + text/css 1y; + + # Data interchange + application/atom+xml 1h; + application/rdf+xml 1h; + application/rss+xml 1h; + + application/json 0; + application/ld+json 0; + application/schema+json 0; + application/geo+json 0; + application/xml 0; + text/calendar 0; + text/xml 0; + + # Favicon (cannot be renamed!) and cursor images + image/vnd.microsoft.icon 1w; + image/x-icon 1w; + + # HTML + text/html 0; + + # JavaScript + application/javascript 1y; + application/x-javascript 1y; + text/javascript 1y; + + # Manifest files + application/manifest+json 1w; + application/x-web-app-manifest+json 0; + text/cache-manifest 0; + + + # Markdown + text/markdown 0; + + # Media files + audio/ogg 1M; + image/bmp 1M; + image/gif 1M; + image/jpeg 1M; + image/png 1M; + image/svg+xml 1M; + image/webp 1M; + video/mp4 1M; + video/ogg 1M; + video/webm 1M; + + # WebAssembly + application/wasm 1y; + + # Web fonts + font/collection 1M; + application/vnd.ms-fontobject 1M; + font/eot 1M; + font/opentype 1M; + font/otf 1M; + application/x-font-ttf 1M; + font/ttf 1M; + application/font-woff 1M; + application/x-font-woff 1M; + font/woff 1M; + application/font-woff2 1M; + font/woff2 1M; + + # Other + text/x-cross-domain-policy 1w; +} + +expires $expires; diff --git a/nginx.conf b/nginx.conf index e67af27..3ea3dd4 100644 --- a/nginx.conf +++ b/nginx.conf @@ -93,6 +93,61 @@ http { # Enable gzip compression. include h5bp/web_performance/compression.conf; + # Specify file cache expiration. + include h5bp/web_performance/cache_expiration.conf; + + # Add X-XSS-Protection for HTML documents. + # h5bp/security/x-xss-protection.conf + map $sent_http_content_type $x_xss_protection { + # (1) (2) + text/html "1; mode=block"; + } + + # Add X-Frame-Options for HTML documents. + # h5bp/security/x-frame-options.conf + map $sent_http_content_type $x_frame_options { + text/html DENY; + } + + # Add Content-Security-Policy for HTML documents. + # h5bp/security/content-security-policy.conf + map $sent_http_content_type $content_security_policy { + text/html "script-src 'self'; object-src 'self'"; + } + + # Add X-UA-Compatible for HTML documents. + # h5bp/internet_explorer/x-ua-compatible.conf + map $sent_http_content_type $x_ua_compatible { + text/html "IE=edge"; + } + + # Add Access-Control-Allow-Origin. + # h5bp/cross-origin/requests.conf + map $sent_http_content_type $cors { + # Images + image/bmp "*"; + image/gif "*"; + image/jpeg "*"; + image/png "*"; + image/svg+xml "*"; + image/webp "*"; + image/x-icon "*"; + + # Web fonts + font/collection "*"; + application/vnd.ms-fontobject "*"; + font/eot "*"; + font/opentype "*"; + font/otf "*"; + application/x-font-ttf "*"; + font/ttf "*"; + application/font-woff "*"; + application/x-font-woff "*"; + font/woff "*"; + application/font-woff2 "*"; + font/woff2 "*"; + } + # Include files in the conf.d folder. # server{} configuration files should be placed in the conf.d folder. # The configurations should be disabled by prefixing files with a dot.