nginx: добавить security-заголовки (HSTS, CSP, X-Frame-Options, X-Content-Type)

Заголовки повторены в location / из-за особенности nginx — дочерний блок с add_header отменяет наследование родительского server-уровня. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 07:58:56 +02:00 · 2026-03-21 07:58:56 +02:00 · c969825c80
commit c969825c80
parent 2d7b99618c
1 changed files with 18 additions and 0 deletions
--- a/nginx/baton.conf
+++ b/nginx/baton.conf
@ -91,9 +91,27 @@ server {
        proxy_connect_timeout 5s;
    }
    # ---------------------------------------------------------------------------
    # Security headers
    # IMPORTANT: must be repeated in every location block that uses add_header,
    # because nginx does not inherit parent add_header when child block defines its own.
    # ---------------------------------------------------------------------------
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
    # Статика фронтенда (SPA)
    location / {
        root       /opt/baton/frontend;
        try_files  $uri /index.html;
        expires    1h;
        # Security headers repeated here because add_header in location blocks
        # overrides parent-level add_header directives (nginx inheritance rule)
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Content-Type-Options nosniff always;
        add_header X-Frame-Options DENY always;
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
        add_header Cache-Control "public" always;
    }
 }