From 71032150c5a08c6889e828b6500c79a3cd86929f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 21 May 2021 17:27:00 -0400
Subject: [PATCH] Add secure HTTP headers to all SO application responses to
 reduce exposure to browser and other HTTP-related vulnerabilities

---
 salt/nginx/etc/nginx.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf
index ea820442b..e9f67e065 100644
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -149,6 +149,12 @@ http {
 		root         /opt/socore/html;
 		index        index.html;
 
+		add_header 	Content-Security-Policy     "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; frame-ancestors 'self'";
+		add_header 	X-Frame-Options             SAMEORIGIN;
+		add_header 	X-XSS-Protection            "1; mode=block";
+		add_header 	X-Content-Type-Options      nosniff;
+		add_header 	Strict-Transport-Security   "max-age=31536000; includeSubDomains; preload";
+
 		ssl_certificate "/etc/pki/nginx/server.crt";
 		ssl_certificate_key "/etc/pki/nginx/server.key";
 		ssl_session_cache shared:SSL:1m;