From 4590a2380efb49da0a4fdb60890537ebc408b31e Mon Sep 17 00:00:00 2001
From: Daniel KT <dan@koumbit.org>
Date: Wed, 25 Sep 2019 16:56:53 -0400
Subject: nixos/nextcloud: add Strict-Transport-Security

This commit adds a Strict-Transport-Security header to
the nginx config file generated by the nextcloud module.

The Strict-Transport-Security header is recommended in
official guide for hardening Nextcloud installations:
https://docs.nextcloud.com/server/16/admin_manual/installation/harden_server.html

Further, if it is not set, we see a warning in the security scan results
in the Nextcloud admin panel:

```
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips

```
---
 nixos/modules/services/web-apps/nextcloud.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'nixos/modules')

diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix
index db5dc915c89f..563c44679854 100644
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -531,6 +531,7 @@ in {
               add_header X-Download-Options noopen;
               add_header X-Permitted-Cross-Domain-Policies none;
               add_header Referrer-Policy no-referrer;
+              add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
               error_page 403 /core/templates/403.php;
               error_page 404 /core/templates/404.php;
               client_max_body_size ${cfg.maxUploadSize};
-- 
cgit 1.4.1