From 8de937f8d6a213820571f29fde71c4e94993d822 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Tue, 27 Oct 2020 18:34:47 +0100
Subject: [PATCH] install_nginx.sh: add HTTP Header Fields.

---
 example/wp-fastcgi_cache.conf | 20 ++++++++++++++++++--
 example/wp-site.conf          | 21 +++++++++++++++++++--
 install_nginx.sh              | 10 ++++++++--
 3 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/example/wp-fastcgi_cache.conf b/example/wp-fastcgi_cache.conf
index 630d90e..6168ef0 100644
--- a/example/wp-fastcgi_cache.conf
+++ b/example/wp-fastcgi_cache.conf
@@ -87,12 +87,18 @@ server {
    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
    # Everything better than SHA1 (deprecated)
    #
-   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
    ssl_prefer_server_ciphers on;
 
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    #
-   add_header Strict-Transport-Security max-age=15768000;
+   add_header Strict-Transport-Security "max-age=31536000" always;
+   add_header X-XSS-Protection "1; mode=block";
+   add_header X-Content-Type-Options nosniff;
+   add_header X-Frame-Options "SAMEORIGIN" always;
+   add_header Content-Security-Policy "default-src 'self';" always;
+   add_header Referrer-Policy "strict-origin-when-cross-origin";
+   add_header Permissions-Policy "usb=()";
 
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
@@ -204,6 +210,16 @@ server {
       add_header X-Cache-Status $upstream_cache_status;
       add_header X-Cache-Key "$scheme$request_method$host$request_uri";
 
+      # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+      #
+      add_header Strict-Transport-Security "max-age=31536000" always;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options nosniff;
+      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header Content-Security-Policy "default-src 'self';" always;
+      add_header Referrer-Policy "strict-origin-when-cross-origin";
+      add_header Permissions-Policy "usb=()";
+
    }
 
 
diff --git a/example/wp-site.conf b/example/wp-site.conf
index 1b5535c..feef5ac 100644
--- a/example/wp-site.conf
+++ b/example/wp-site.conf
@@ -54,12 +54,18 @@ server {
    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
    # Everything better than SHA1 (deprecated)
    #
-   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
    ssl_prefer_server_ciphers on;
 
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    #
-   add_header Strict-Transport-Security max-age=15768000;
+   add_header Strict-Transport-Security "max-age=31536000" always;
+   add_header X-XSS-Protection "1; mode=block";
+   add_header X-Content-Type-Options nosniff;
+   add_header X-Frame-Options "SAMEORIGIN" always;
+   add_header Content-Security-Policy "default-src 'self';" always;
+   add_header Referrer-Policy "strict-origin-when-cross-origin";
+   add_header Permissions-Policy "usb=()";
 
    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
@@ -110,6 +116,17 @@ server {
       #The following parameter can be also included in fastcgi_params file
       fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
       fastcgi_param  SCRIPT_NAME       $fastcgi_script_name;
+
+      # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+      #
+      add_header Strict-Transport-Security "max-age=31536000" always;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options nosniff;
+      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header Content-Security-Policy "default-src 'self';" always;
+      add_header Referrer-Policy "strict-origin-when-cross-origin";
+      add_header Permissions-Policy "usb=()";
+
    }
 
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
diff --git a/install_nginx.sh b/install_nginx.sh
index 4d6a860..25c6b62 100755
--- a/install_nginx.sh
+++ b/install_nginx.sh
@@ -315,7 +315,8 @@ server {
    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
    # Everything better than SHA1 (deprecated)
    #
-   ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
+   #ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
    ssl_prefer_server_ciphers on;
 EOF
 
@@ -334,10 +335,15 @@ EOF
 fi
 cat << EOF >> /etc/nginx/sites-available/default 2>> ${log_file}
 
+   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+   #
    add_header Strict-Transport-Security "max-age=31536000" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
-   #add_header X-Frame-Options "SAMEORIGIN";
+   add_header X-Frame-Options "SAMEORIGIN" always;
+   add_header Content-Security-Policy "default-src 'self';" always;
+   add_header Referrer-Policy "strict-origin-when-cross-origin";
+   add_header Permissions-Policy "usb=()";
 
    root /var/www/html;