diff --git a/CHANGES.md b/CHANGES.md index edfacd3ad2..196ffa7153 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,8 @@ ### :bug: Bugs fixed +- Harden Nginx responses with standard security headers and hide upstream `X-Powered-By` headers + ## 2.16.0 (Unreleased) ### :boom: Breaking changes & Deprecations diff --git a/docker/devenv/files/nginx-security-headers.conf b/docker/devenv/files/nginx-security-headers.conf new file mode 100644 index 0000000000..d41baf3a22 --- /dev/null +++ b/docker/devenv/files/nginx-security-headers.conf @@ -0,0 +1,4 @@ +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; +add_header X-Frame-Options SAMEORIGIN always; diff --git a/docker/devenv/files/nginx.conf b/docker/devenv/files/nginx.conf index 3a6f50b4be..e93ca0750c 100644 --- a/docker/devenv/files/nginx.conf +++ b/docker/devenv/files/nginx.conf @@ -74,6 +74,8 @@ http { resolver 127.0.0.11 ipv6=off; etag off; + proxy_hide_header X-Powered-By; + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; root /home/penpot/penpot/frontend/resources/public; @@ -92,6 +94,7 @@ http { proxy_pass $redirect_uri; proxy_ssl_server_name on; + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header x-internal-redirect "$redirect_uri"; add_header x-cache-control "$redirect_cache_control"; add_header cache-control "$redirect_cache_control"; @@ -108,6 +111,7 @@ http { location /internal/assets { internal; alias /home/penpot/penpot/backend/assets; + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header x-internal-redirect "$upstream_http_x_accel_redirect"; } @@ -186,6 +190,7 @@ http { location /wasm-playground { alias /home/penpot/penpot/frontend/resources/public/wasm-playground/; + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header Cache-Control "no-cache, max-age=0"; autoindex on; } @@ -211,6 +216,7 @@ http { proxy_set_header User-Agent "curl/8.5.0"; proxy_set_header Host "raw.githubusercontent.com"; proxy_set_header Accept "*/*"; + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header Access-Control-Allow-Origin $http_origin; proxy_buffering off; } @@ -235,6 +241,7 @@ http { proxy_cache penpot; + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header Access-Control-Allow-Origin $http_origin; add_header Cache-Control max-age=86400; add_header X-Cache-Status $upstream_cache_status; @@ -257,16 +264,19 @@ http { proxy_cache penpot; + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header Access-Control-Allow-Origin $http_origin; add_header Cache-Control max-age=86400; add_header X-Cache-Status $upstream_cache_status; } location ~* \.(jpg|png|svg|ttf|woff|woff2|gif)$ { + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header Cache-Control "public, max-age=604800" always; # 7 days } location ~* \.(js|css|wasm)$ { + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header Cache-Control "no-store" always; } @@ -274,6 +284,7 @@ http { return 301 " /404"; } + include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf; add_header Cache-Control "no-store" always; try_files $uri /index.html$is_args$args /index.html =404; } diff --git a/docker/images/Dockerfile.frontend b/docker/images/Dockerfile.frontend index 9f435551ad..1b44b9c3a1 100644 --- a/docker/images/Dockerfile.frontend +++ b/docker/images/Dockerfile.frontend @@ -17,6 +17,7 @@ ARG BUNDLE_PATH="./bundle-frontend/" COPY $BUNDLE_PATH /var/www/app/ COPY ./files/config.js /var/www/app/js/config.js COPY ./files/nginx.conf.template /tmp/nginx.conf.template +COPY ./files/nginx-security-headers.conf /etc/nginx/nginx-security-headers.conf COPY ./files/nginx-resolvers.conf.template /tmp/resolvers.conf.template COPY ./files/nginx-mime.types /etc/nginx/mime.types COPY ./files/nginx-external-locations.conf /etc/nginx/overrides/location.d/external-locations.conf diff --git a/docker/images/files/nginx-security-headers.conf b/docker/images/files/nginx-security-headers.conf new file mode 100644 index 0000000000..d41baf3a22 --- /dev/null +++ b/docker/images/files/nginx-security-headers.conf @@ -0,0 +1,4 @@ +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; +add_header X-Frame-Options SAMEORIGIN always; diff --git a/docker/images/files/nginx.conf.template b/docker/images/files/nginx.conf.template index 0daab4b9d4..f365cbd512 100644 --- a/docker/images/files/nginx.conf.template +++ b/docker/images/files/nginx.conf.template @@ -80,6 +80,8 @@ http { charset utf-8; etag off; + proxy_hide_header X-Powered-By; + include /etc/nginx/nginx-security-headers.conf; root /var/www/app/; @@ -100,6 +102,7 @@ http { proxy_ssl_server_name on; proxy_pass $redirect_uri; + include /etc/nginx/nginx-security-headers.conf; add_header x-internal-redirect "$redirect_uri"; add_header x-cache-control "$redirect_cache_control"; add_header cache-control "$redirect_cache_control"; @@ -118,6 +121,7 @@ http { location /internal/assets { internal; alias /opt/data/assets; + include /etc/nginx/nginx-security-headers.conf; add_header x-internal-redirect "$upstream_http_x_accel_redirect"; } @@ -177,6 +181,7 @@ http { include /etc/nginx/overrides/location.d/*.conf; location ~* \.(js|css|jpg|png|svg|gif|ttf|woff|woff2|wasm|map)$ { + include /etc/nginx/nginx-security-headers.conf; add_header Cache-Control "public, max-age=604800" always; # 7 days } @@ -184,7 +189,7 @@ http { return 301 " /404"; } - add_header X-Frame-Options SAMEORIGIN always; + include /etc/nginx/nginx-security-headers.conf; add_header Cache-Control "no-store, no-cache, max-age=0" always; try_files $uri /index.html$is_args$args /index.html =404;