Switch from location directives to maps based on MIME-types
* Expire * X-XSS-Protection * X-Frame-Options * X-UA-Compatible * Content-Security-Policy * Access-Control-Allow-Origin
This commit is contained in:
parent
2d135053cb
commit
6dd4cc27ed
|
@ -3,5 +3,3 @@
|
||||||
|
|
||||||
include h5bp/internet_explorer/x-ua-compatible.conf;
|
include h5bp/internet_explorer/x-ua-compatible.conf;
|
||||||
include h5bp/location/security_file_access.conf;
|
include h5bp/location/security_file_access.conf;
|
||||||
include h5bp/location/web_performance_cache_expiration.conf;
|
|
||||||
include h5bp/location/cross-origin_web_fonts.conf;
|
|
||||||
|
|
|
@ -16,4 +16,4 @@
|
||||||
# Allow access based on [sub]domain:
|
# Allow access based on [sub]domain:
|
||||||
# add_header Access-Control-Allow-Origin "subdomain.example.com";
|
# add_header Access-Control-Allow-Origin "subdomain.example.com";
|
||||||
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin $cors;
|
||||||
|
|
|
@ -16,4 +16,4 @@
|
||||||
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
|
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
|
||||||
# https://msdn.microsoft.com/en-us/library/ff955275.aspx
|
# https://msdn.microsoft.com/en-us/library/ff955275.aspx
|
||||||
|
|
||||||
add_header X-UA-Compatible "IE=Edge";
|
add_header X-UA-Compatible $x_ua_compatible;
|
||||||
|
|
|
@ -1,18 +0,0 @@
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
# | Cross-origin images |
|
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
|
|
||||||
# Send the CORS header for images when browsers request it.
|
|
||||||
#
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
|
|
||||||
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
|
|
||||||
|
|
||||||
location ~* \.(?:bmp|cur|gif|ico|jpe?g|png|svgz?|webp?)$ {
|
|
||||||
include h5bp/cross-origin/requests.conf;
|
|
||||||
|
|
||||||
# Also, set cache rules for images.
|
|
||||||
#
|
|
||||||
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
|
|
||||||
access_log off;
|
|
||||||
expires 1M;
|
|
||||||
}
|
|
|
@ -1,19 +0,0 @@
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
# | Cross-origin web fonts |
|
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
|
|
||||||
# Allow cross-origin access to web fonts.
|
|
||||||
#
|
|
||||||
# https://developers.google.com/fonts/docs/troubleshooting
|
|
||||||
|
|
||||||
location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
|
|
||||||
include h5bp/cross-origin/requests.conf;
|
|
||||||
|
|
||||||
# Also, set cache rules for web fonts.
|
|
||||||
#
|
|
||||||
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
|
|
||||||
# https://github.com/h5bp/server-configs/issues/85
|
|
||||||
# https://github.com/h5bp/server-configs/issues/86
|
|
||||||
access_log off;
|
|
||||||
expires 1M;
|
|
||||||
}
|
|
|
@ -1,57 +0,0 @@
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
# | Cache expiration |
|
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
|
|
||||||
# Serve resources with far-future expiration date.
|
|
||||||
#
|
|
||||||
# (!) If you don't control versioning with filename-based
|
|
||||||
# cache busting, you should consider lowering the cache times
|
|
||||||
# to something like one week.
|
|
||||||
#
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
|
|
||||||
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
|
|
||||||
|
|
||||||
# No default expire rule. This config mirrors that of apache as outlined in the
|
|
||||||
# html5-boilerplate .htaccess file. However, nginx applies rules by location,
|
|
||||||
# the apache rules are defined by type. A consequence of this difference is that
|
|
||||||
# if you use no file extension in the url and serve html, with apache you get an
|
|
||||||
# expire time of 0s, with nginx you'd get an expire header of one month in the
|
|
||||||
# future (if the default expire rule is 1 month). Therefore, do not use a
|
|
||||||
# default expire rule with nginx unless your site is completely static
|
|
||||||
|
|
||||||
# Documents
|
|
||||||
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
|
||||||
expires 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Feeds
|
|
||||||
location ~* \.(?:rss|atom)$ {
|
|
||||||
expires 1h;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Media files
|
|
||||||
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
|
|
||||||
access_log off;
|
|
||||||
expires 1M;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Media: svgz files are already compressed.
|
|
||||||
location ~* \.svgz$ {
|
|
||||||
access_log off;
|
|
||||||
gzip off;
|
|
||||||
expires 1M;
|
|
||||||
}
|
|
||||||
|
|
||||||
# CSS and JavaScript
|
|
||||||
location ~* \.(?:css|js)$ {
|
|
||||||
expires 1y;
|
|
||||||
access_log off;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Web fonts
|
|
||||||
# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
|
|
||||||
# location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
|
|
||||||
# expires 1M;
|
|
||||||
# access_log off;
|
|
||||||
# }
|
|
|
@ -20,4 +20,4 @@
|
||||||
# https://content-security-policy.com/
|
# https://content-security-policy.com/
|
||||||
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
|
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
|
||||||
|
|
||||||
add_header Content-Security-Policy "script-src 'self'; object-src 'self'" always;
|
add_header Content-Security-Policy $content_security_policy always;
|
||||||
|
|
|
@ -33,4 +33,4 @@
|
||||||
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
|
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
|
||||||
# https://www.owasp.org/index.php/Clickjacking
|
# https://www.owasp.org/index.php/Clickjacking
|
||||||
|
|
||||||
add_header X-Frame-Options DENY always;
|
add_header X-Frame-Options $x_frame_options always;
|
||||||
|
|
|
@ -35,5 +35,4 @@
|
||||||
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
|
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
|
||||||
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
|
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
|
||||||
|
|
||||||
# (1) (2)
|
add_header X-XSS-Protection $x_xss_protection always;
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
|
|
|
@ -0,0 +1,88 @@
|
||||||
|
# ----------------------------------------------------------------------
|
||||||
|
# | Cache expiration |
|
||||||
|
# ----------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Serve resources with far-future expiration date.
|
||||||
|
#
|
||||||
|
# (!) If you don't control versioning with filename-based
|
||||||
|
# cache busting, you should consider lowering the cache times
|
||||||
|
# to something like one week.
|
||||||
|
#
|
||||||
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
|
||||||
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
|
||||||
|
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
|
||||||
|
|
||||||
|
map $sent_http_content_type $expires {
|
||||||
|
default 1M;
|
||||||
|
|
||||||
|
# CSS
|
||||||
|
text/css 1y;
|
||||||
|
|
||||||
|
# Data interchange
|
||||||
|
application/atom+xml 1h;
|
||||||
|
application/rdf+xml 1h;
|
||||||
|
application/rss+xml 1h;
|
||||||
|
|
||||||
|
application/json 0;
|
||||||
|
application/ld+json 0;
|
||||||
|
application/schema+json 0;
|
||||||
|
application/geo+json 0;
|
||||||
|
application/xml 0;
|
||||||
|
text/calendar 0;
|
||||||
|
text/xml 0;
|
||||||
|
|
||||||
|
# Favicon (cannot be renamed!) and cursor images
|
||||||
|
image/vnd.microsoft.icon 1w;
|
||||||
|
image/x-icon 1w;
|
||||||
|
|
||||||
|
# HTML
|
||||||
|
text/html 0;
|
||||||
|
|
||||||
|
# JavaScript
|
||||||
|
application/javascript 1y;
|
||||||
|
application/x-javascript 1y;
|
||||||
|
text/javascript 1y;
|
||||||
|
|
||||||
|
# Manifest files
|
||||||
|
application/manifest+json 1w;
|
||||||
|
application/x-web-app-manifest+json 0;
|
||||||
|
text/cache-manifest 0;
|
||||||
|
|
||||||
|
|
||||||
|
# Markdown
|
||||||
|
text/markdown 0;
|
||||||
|
|
||||||
|
# Media files
|
||||||
|
audio/ogg 1M;
|
||||||
|
image/bmp 1M;
|
||||||
|
image/gif 1M;
|
||||||
|
image/jpeg 1M;
|
||||||
|
image/png 1M;
|
||||||
|
image/svg+xml 1M;
|
||||||
|
image/webp 1M;
|
||||||
|
video/mp4 1M;
|
||||||
|
video/ogg 1M;
|
||||||
|
video/webm 1M;
|
||||||
|
|
||||||
|
# WebAssembly
|
||||||
|
application/wasm 1y;
|
||||||
|
|
||||||
|
# Web fonts
|
||||||
|
font/collection 1M;
|
||||||
|
application/vnd.ms-fontobject 1M;
|
||||||
|
font/eot 1M;
|
||||||
|
font/opentype 1M;
|
||||||
|
font/otf 1M;
|
||||||
|
application/x-font-ttf 1M;
|
||||||
|
font/ttf 1M;
|
||||||
|
application/font-woff 1M;
|
||||||
|
application/x-font-woff 1M;
|
||||||
|
font/woff 1M;
|
||||||
|
application/font-woff2 1M;
|
||||||
|
font/woff2 1M;
|
||||||
|
|
||||||
|
# Other
|
||||||
|
text/x-cross-domain-policy 1w;
|
||||||
|
}
|
||||||
|
|
||||||
|
expires $expires;
|
55
nginx.conf
55
nginx.conf
|
@ -93,6 +93,61 @@ http {
|
||||||
# Enable gzip compression.
|
# Enable gzip compression.
|
||||||
include h5bp/web_performance/compression.conf;
|
include h5bp/web_performance/compression.conf;
|
||||||
|
|
||||||
|
# Specify file cache expiration.
|
||||||
|
include h5bp/web_performance/cache_expiration.conf;
|
||||||
|
|
||||||
|
# Add X-XSS-Protection for HTML documents.
|
||||||
|
# h5bp/security/x-xss-protection.conf
|
||||||
|
map $sent_http_content_type $x_xss_protection {
|
||||||
|
# (1) (2)
|
||||||
|
text/html "1; mode=block";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add X-Frame-Options for HTML documents.
|
||||||
|
# h5bp/security/x-frame-options.conf
|
||||||
|
map $sent_http_content_type $x_frame_options {
|
||||||
|
text/html DENY;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add Content-Security-Policy for HTML documents.
|
||||||
|
# h5bp/security/content-security-policy.conf
|
||||||
|
map $sent_http_content_type $content_security_policy {
|
||||||
|
text/html "script-src 'self'; object-src 'self'";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add X-UA-Compatible for HTML documents.
|
||||||
|
# h5bp/internet_explorer/x-ua-compatible.conf
|
||||||
|
map $sent_http_content_type $x_ua_compatible {
|
||||||
|
text/html "IE=edge";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add Access-Control-Allow-Origin.
|
||||||
|
# h5bp/cross-origin/requests.conf
|
||||||
|
map $sent_http_content_type $cors {
|
||||||
|
# Images
|
||||||
|
image/bmp "*";
|
||||||
|
image/gif "*";
|
||||||
|
image/jpeg "*";
|
||||||
|
image/png "*";
|
||||||
|
image/svg+xml "*";
|
||||||
|
image/webp "*";
|
||||||
|
image/x-icon "*";
|
||||||
|
|
||||||
|
# Web fonts
|
||||||
|
font/collection "*";
|
||||||
|
application/vnd.ms-fontobject "*";
|
||||||
|
font/eot "*";
|
||||||
|
font/opentype "*";
|
||||||
|
font/otf "*";
|
||||||
|
application/x-font-ttf "*";
|
||||||
|
font/ttf "*";
|
||||||
|
application/font-woff "*";
|
||||||
|
application/x-font-woff "*";
|
||||||
|
font/woff "*";
|
||||||
|
application/font-woff2 "*";
|
||||||
|
font/woff2 "*";
|
||||||
|
}
|
||||||
|
|
||||||
# Include files in the conf.d folder.
|
# Include files in the conf.d folder.
|
||||||
# server{} configuration files should be placed in the conf.d folder.
|
# server{} configuration files should be placed in the conf.d folder.
|
||||||
# The configurations should be disabled by prefixing files with a dot.
|
# The configurations should be disabled by prefixing files with a dot.
|
||||||
|
|
Loading…
Reference in New Issue