mirror of
https://github.com/nextcloud/all-in-one.git
synced 2026-05-21 10:50:10 +00:00
12e129f1f6
Signed-off-by: Zoey <zoey@z0ey.de> Signed-off-by: Simon L. <szaimen@e.mail.de> Signed-off-by: Pablo Zmdl <pablo@nextcloud.com> Co-authored-by: Simon L. <szaimen@e.mail.de> Co-authored-by: Pablo Zmdl <pablo@nextcloud.com>
28 lines
3.2 KiB
Caddyfile
28 lines
3.2 KiB
Caddyfile
header {
|
|
# CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
|
|
# default-src 'none'; Allow nothing by default
|
|
# script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
|
|
# img-src 'self'; Only allow loading images from same origin (from AIO itself)
|
|
# connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
|
|
# frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
|
|
# base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
|
|
# form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
|
|
# frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
|
|
# upgrade-insecure-requests; Upgrade all http embedings to https
|
|
# require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
|
|
Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
|
|
X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
|
|
X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
|
|
X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
|
|
X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
|
|
Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
|
|
X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
|
|
Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
|
|
Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
|
|
Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
|
|
|
|
-Server
|
|
-X-Powered-By
|
|
-Via
|
|
}
|