glenn-sorrentino/Content Security Headers

## Content Security Headers
# If you're using Nginx you can find your server settings here: /etc/nginx/sites-enabled/default
# Thanks to @_mig5 for your help!

server {
        root /var/www/html/website; # ADD YOUR SITE'S FOLDER LOCATION
        server_name website.com www.website.com; # YOUR URLS

        # THIS IS ALL MANAGED BY CERTBOT

        listen [::]:443 ssl; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        # ADD THESE HEADERS FOR YOUR PUBLIC SITE

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header Onion-Location http://YourOnionSite.onion$request_uri; # REPLACE WITH YOUR ONION ADDRESS
        add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; form-action 'none'";
        add_header Permissions-Policy "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(), payment=(), interest-cohort=()";
        add_header Referrer-Policy "no-referrer";
        add_header X-XSS-Protection "1; mode=block";
}

server {
        server_name YourOnionSite.onion; # REPLACE WITH YOUR ONION ADDRESS
        access_log /var/log/nginx/hs-my-website.log;
        index index.html;
        root /var/www/html/website; # ADD YOUR SITE'S FOLDER LOCATION

        # ADD THESE FOR YOUR ONION SITE

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; form-action 'none'";
        add_header Permissions-Policy "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(), payment=(), interest-cohort=()";
        add_header Referrer-Policy "no-referrer";
        add_header X-XSS-Protection "1; mode=block";
}

server {
        listen 80;
        server_name website.com www.website.com; # YOUR URLS
        return 301 https://website.com$request_uri; # YOUR HTTPS REDIRECT
}
	# If you're using Nginx you can find your server settings here: /etc/nginx/sites-enabled/default
	# Thanks to @_mig5 for your help!

	server {
	root /var/www/html/website; # ADD YOUR SITE'S FOLDER LOCATION
	server_name website.com www.website.com; # YOUR URLS

	# THIS IS ALL MANAGED BY CERTBOT

	listen [::]:443 ssl; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/website.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/website.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	# ADD THESE HEADERS FOR YOUR PUBLIC SITE

	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header Onion-Location http://YourOnionSite.onion$request_uri; # REPLACE WITH YOUR ONION ADDRESS
	add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; form-action 'none'";
	add_header Permissions-Policy "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(), payment=(), interest-cohort=()";
	add_header Referrer-Policy "no-referrer";
	add_header X-XSS-Protection "1; mode=block";
	}

	server {
	server_name YourOnionSite.onion; # REPLACE WITH YOUR ONION ADDRESS
	access_log /var/log/nginx/hs-my-website.log;
	index index.html;
	root /var/www/html/website; # ADD YOUR SITE'S FOLDER LOCATION

	# ADD THESE FOR YOUR ONION SITE

	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; form-action 'none'";
	add_header Permissions-Policy "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(), payment=(), interest-cohort=()";
	add_header Referrer-Policy "no-referrer";
	add_header X-XSS-Protection "1; mode=block";
	}

	server {
	listen 80;
	server_name website.com www.website.com; # YOUR URLS
	return 301 https://website.com$request_uri; # YOUR HTTPS REDIRECT
	}