Improve security headers documentation

Refresh and reorder links
This commit is contained in:
Léo Colombaro 2021-06-14 12:38:26 +02:00
parent 4b773f0967
commit f6e5a123e2
No known key found for this signature in database
GPG Key ID: 687B480A6D4F735F
5 changed files with 12 additions and 8 deletions

View File

@ -19,9 +19,10 @@
# such as:
# https://csp-evaluator.withgoogle.com
#
# https://csp.withgoogle.com/docs/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.w3.org/TR/CSP/
# https://owasp.org/www-project-secure-headers/#content-security-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://developers.google.com/web/fundamentals/security/csp
# https://content-security-policy.com/
add_header Content-Security-Policy $content_security_policy always;

View File

@ -17,7 +17,9 @@
# https://securityheaders.com/
# https://observatory.mozilla.org/
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://www.w3.org/TR/referrer-policy/
# https://owasp.org/www-project-secure-headers/#referrer-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
add_header Referrer-Policy $referrer_policy always;

View File

@ -28,9 +28,9 @@
# https://hstspreload.org/#deployment-recommendations
#
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
# https://hstspreload.org/
add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;

View File

@ -9,6 +9,7 @@
# user-uploaded content or content that could potentially be treated as
# executable by the browser.
#
# https://owasp.org/www-project-secure-headers/#x-content-type-options
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
# https://mimesniff.spec.whatwg.org/

View File

@ -29,9 +29,9 @@
# (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
# which obsoletes this header for supporting browsers.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
# https://www.owasp.org/index.php/Clickjacking
# https://owasp.org/www-project-secure-headers/#x-frame-options
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options
add_header X-Frame-Options $x_frame_options always;