diff options
author | Daniel KT <dan@koumbit.org> | 2019-09-25 16:56:53 -0400 |
---|---|---|
committer | Daniel KT <dan@koumbit.org> | 2019-09-25 16:56:53 -0400 |
commit | 4590a2380efb49da0a4fdb60890537ebc408b31e (patch) | |
tree | 5eb81c33e22e237a6a46097e8e2ae109859cda04 | |
parent | 99b12cfc0818892f74d2f7fe22b9f34b93014915 (diff) | |
download | nixlib-4590a2380efb49da0a4fdb60890537ebc408b31e.tar nixlib-4590a2380efb49da0a4fdb60890537ebc408b31e.tar.gz nixlib-4590a2380efb49da0a4fdb60890537ebc408b31e.tar.bz2 nixlib-4590a2380efb49da0a4fdb60890537ebc408b31e.tar.lz nixlib-4590a2380efb49da0a4fdb60890537ebc408b31e.tar.xz nixlib-4590a2380efb49da0a4fdb60890537ebc408b31e.tar.zst nixlib-4590a2380efb49da0a4fdb60890537ebc408b31e.zip |
nixos/nextcloud: add Strict-Transport-Security
This commit adds a Strict-Transport-Security header to the nginx config file generated by the nextcloud module. The Strict-Transport-Security header is recommended in official guide for hardening Nextcloud installations: https://docs.nextcloud.com/server/16/admin_manual/installation/harden_server.html Further, if it is not set, we see a warning in the security scan results in the Nextcloud admin panel: ``` The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ```
-rw-r--r-- | nixos/modules/services/web-apps/nextcloud.nix | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index db5dc915c89f..563c44679854 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -531,6 +531,7 @@ in { add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; client_max_body_size ${cfg.maxUploadSize}; |