nginx: добавить security-заголовки (HSTS, CSP, X-Frame-Options, X-Content-Type)

Заголовки повторены в location / из-за особенности nginx — дочерний блок с add_header отменяет наследование родительского server-уровня. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 07:58:56 +02:00 · 2026-03-21 07:58:56 +02:00 · 5c9176fcd9
commit 5c9176fcd9
parent 1b2aa501c6
1 changed files with 18 additions and 0 deletions
--- a/nginx/baton.conf
+++ b/nginx/baton.conf
@ -91,9 +91,27 @@ server {
        proxy_connect_timeout 5s;
    }

+    # ---------------------------------------------------------------------------
+    # Security headers
+    # IMPORTANT: must be repeated in every location block that uses add_header,
+    # because nginx does not inherit parent add_header when child block defines its own.
+    # ---------------------------------------------------------------------------
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options DENY always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+
    # Статика фронтенда (SPA)
    location / {
        root       /opt/baton/frontend;
        try_files  $uri /index.html;
+        expires    1h;
+        # Security headers repeated here because add_header in location blocks
+        # overrides parent-level add_header directives (nginx inheritance rule)
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Content-Type-Options nosniff always;
+        add_header X-Frame-Options DENY always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+        add_header Cache-Control "public" always;
    }
 }