From 3303279655c1b090eda20806562d8850eff63b11 Mon Sep 17 00:00:00 2001 From: db1234719 Date: Mon, 17 Nov 2025 23:23:39 +0330 Subject: [PATCH] added security stuff at security.conf inside conf.d --- conf.d/security.conf | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 conf.d/security.conf diff --git a/conf.d/security.conf b/conf.d/security.conf new file mode 100644 index 0000000..e80a171 --- /dev/null +++ b/conf.d/security.conf @@ -0,0 +1,31 @@ +# Basic timeout and buffer settings +client_max_body_size 50M; +client_body_buffer_size 128k; +client_header_timeout 10s; +client_body_timeout 10s; +send_timeout 10s; + +# Limit request rate +limit_req_zone $binary_remote_addr zone=req_limit:10m rate=30r/s; +limit_conn_zone $binary_remote_addr zone=conn_limit:10m; + +# SSL / TLS hardening +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; +ssl_session_tickets off; + +# HSTS +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +# Security headers +add_header X-Content-Type-Options nosniff; +add_header X-Frame-Options DENY; +add_header X-XSS-Protection "1; mode=block"; +add_header Referrer-Policy "no-referrer-when-downgrade"; +add_header Permissions-Policy "geolocation=(), microphone=(), camera=()"; + +# Hide nginx version +server_tokens off;