improved sandbox nginx security headers

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
eclipse-ditto · Jan 9, 2023 · 21f1b0d · 21f1b0d
1 parent 71cd5fd
commit 21f1b0d
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/deployment/docker/sandbox/nginx.conf b/deployment/docker/sandbox/nginx.conf
@@ -143,10 +143,11 @@ http {
 
     # security relevant headers:
     add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
-    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; img-src 'self' data: https://raw.githubusercontent.com; worker-src 'self' blob:; connect-src 'self' localhost;" always;
+    add_header Content-Security-Policy "default-src 'self' 'sha256-VBHeOpIX6yWZ0JTnxdN0srjOFLQ8dvcOukHhkEkUTTM=' 'sha256-mfFV0ZbsBS2DlOgYHoR09y92EObpSr85vW6YB9VUvTw=' 'sha256-vD02WTkLq/Mc1Rwiyb2Si246qnnZQmls4LqjlSG4ufU=' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; img-src 'self' data: https://raw.githubusercontent.com; worker-src 'self' blob:; connect-src 'self' localhost;" always;
     expires 1s;
     add_header Cache-Control "no-cache";
     add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options "SAMEORIGIN";
 
     # required for let's encrypt:
     location ^~ /.well-known/acme-challenge {