added security stuff at security.conf inside conf.d
This commit is contained in:
31
conf.d/security.conf
Normal file
31
conf.d/security.conf
Normal file
@@ -0,0 +1,31 @@
|
|||||||
|
# Basic timeout and buffer settings
|
||||||
|
client_max_body_size 50M;
|
||||||
|
client_body_buffer_size 128k;
|
||||||
|
client_header_timeout 10s;
|
||||||
|
client_body_timeout 10s;
|
||||||
|
send_timeout 10s;
|
||||||
|
|
||||||
|
# Limit request rate
|
||||||
|
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=30r/s;
|
||||||
|
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
|
||||||
|
|
||||||
|
# SSL / TLS hardening
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256';
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_timeout 10m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
# HSTS
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
|
||||||
|
# Security headers
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-Frame-Options DENY;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header Referrer-Policy "no-referrer-when-downgrade";
|
||||||
|
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";
|
||||||
|
|
||||||
|
# Hide nginx version
|
||||||
|
server_tokens off;
|
||||||
Reference in New Issue
Block a user