Add environment variable in frontend and ssl

2026-04-19 20:29:17 +00:00 · 2022-02-14 08:27:05 -03:00
parent 7a4e908421
commit ac84639687
30 changed files with 207 additions and 77 deletions
--- a/frontend/.docker/nginx/include.d/spa.conf
+++ b/frontend/.docker/nginx/include.d/spa.conf
@@ -1,28 +1,16 @@
-listen 80;
-index index.html;
-root /var/www/public/;
+# X-Frame-Options is to prevent from clickJacking attack
+add_header X-Frame-Options SAMEORIGIN;

-location /{{ default .Env.FOLDER_BACKEND "api" }}/ {
-    proxy_pass {{ .Env.URL_BACKEND }};
-}
+# disable content-type sniffing on some browsers.
+add_header X-Content-Type-Options nosniff;

-location /socket.io/ {
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $host;
-    proxy_pass {{ .Env.URL_BACKEND }}socket.io/;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";    
-}
+# This header enables the Cross-site scripting (XSS) filter
+add_header X-XSS-Protection "1; mode=block";

-location / {
-    try_files $uri $uri/ /index.html;
-    include include.d/nocache.conf;
-}
+# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

-location /static {
-   alias /var/www/public/static/;
-   include include.d/allcache.conf;
-}
+add_header Referrer-Policy "no-referrer-when-downgrade";

-include include.d/root.conf;
+# Enables response header of "Vary: Accept-Encoding"
+gzip_vary on;