Yinchie/security_headers.conf

## security_headers.conf
add_header X-UA-Compatible "IE=Edge";

# Enable reflective cross-site-scripting protection filter in browsers.
add_header X-XSS-Protection "1; mode=block";

# Strengthens the implementation of TLS by getting the User Agent to enforce the use of HTTPS.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

# Tell the browser whether you want to allow your site to be framed or not.
# By preventing a browser from framing your site you can defend against attacks like clickjacking.
add_header X-Frame-Options "SAMEORIGIN";

# Prevents browsers to mime-sniff the content-type of a response away from the one being declared by the server.
add_header X-Content-Type-Options  "nosniff";

# Allow the site to control how much information the browser includes with navigations away from a document and should be set by all sites
add_header Referrer-Policy "no-referrer-when-downgrade";

# By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
add_header Content-Security-Policy "default-src 'self' cdn.itchy.nl; script-src 'self' data: gist.github.com connect.facebook.net 'sha256-WlCNIcDYOWEbpNn1anQINNBK51F9CAJXMp6KwbaNhwE='; style-src 'self' data: 'unsafe-inline' assets-cdn.github.com; img-src 'self' data: assets-cdn.github.com www.facebook.com; font-src 'self' data:; child-src 'self' www.youtube.com gaming.youtube.com player.twitch.tv www.facebook.com connect.facebook.net staticxx.facebook.com; upgrade-insecure-requests; block-all-mixed-content; disown-opener; reflected-xss block; base-uri https://itchy.nl; referrer no-referrer-when-downgrade";

# Protects site from MiTM attacks using rogue X.509 certificates.
# By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
# Let's Encrypt Authority X3, ec-secp384r1.csr, rsa-2048.csr, backup EC, backup RSA
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="JUsMuoa8gRoKh0iUOn6Xh0rQsTAyrOmS5YbXOsAx9RI="; pin-sha256="DEpuCnuD202U2HOiXYEH6qvWdAyol9yI3l4KtjXRu6s="; pin-sha256="Pb3UYlTzcs3f6b5ENgh1oxBVL+tP5GHiN0yslKFtVOw="; pin-sha256="i3ryTV5o5d2n+A+hpOUp70qsD2CQbhA5vpOw1ODCUes="; max-age=2592000' always;
	add_header X-UA-Compatible "IE=Edge";

	# Enable reflective cross-site-scripting protection filter in browsers.
	add_header X-XSS-Protection "1; mode=block";

	# Strengthens the implementation of TLS by getting the User Agent to enforce the use of HTTPS.
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

	# Tell the browser whether you want to allow your site to be framed or not.
	# By preventing a browser from framing your site you can defend against attacks like clickjacking.
	add_header X-Frame-Options "SAMEORIGIN";

	# Prevents browsers to mime-sniff the content-type of a response away from the one being declared by the server.
	add_header X-Content-Type-Options "nosniff";

	# Allow the site to control how much information the browser includes with navigations away from a document and should be set by all sites
	add_header Referrer-Policy "no-referrer-when-downgrade";

	# By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
	add_header Content-Security-Policy "default-src 'self' cdn.itchy.nl; script-src 'self' data: gist.github.com connect.facebook.net 'sha256-WlCNIcDYOWEbpNn1anQINNBK51F9CAJXMp6KwbaNhwE='; style-src 'self' data: 'unsafe-inline' assets-cdn.github.com; img-src 'self' data: assets-cdn.github.com www.facebook.com; font-src 'self' data:; child-src 'self' www.youtube.com gaming.youtube.com player.twitch.tv www.facebook.com connect.facebook.net staticxx.facebook.com; upgrade-insecure-requests; block-all-mixed-content; disown-opener; reflected-xss block; base-uri https://itchy.nl; referrer no-referrer-when-downgrade";

	# Protects site from MiTM attacks using rogue X.509 certificates.
	# By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
	# Let's Encrypt Authority X3, ec-secp384r1.csr, rsa-2048.csr, backup EC, backup RSA
	add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="JUsMuoa8gRoKh0iUOn6Xh0rQsTAyrOmS5YbXOsAx9RI="; pin-sha256="DEpuCnuD202U2HOiXYEH6qvWdAyol9yI3l4KtjXRu6s="; pin-sha256="Pb3UYlTzcs3f6b5ENgh1oxBVL+tP5GHiN0yslKFtVOw="; pin-sha256="i3ryTV5o5d2n+A+hpOUp70qsD2CQbhA5vpOw1ODCUes="; max-age=2592000' always;