From c1e63dcc86f8dc8f594b1c80c7ff0af9bf04edc5 Mon Sep 17 00:00:00 2001 From: Mikael Voss Date: Sat, 19 Oct 2024 18:43:37 +0200 Subject: [PATCH] nixos/solitary: Fix conditional setting of HTTP headers --- nixos/config/solitary/configuration.nix | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/nixos/config/solitary/configuration.nix b/nixos/config/solitary/configuration.nix index 12b5a4e..5e33091 100644 --- a/nixos/config/solitary/configuration.nix +++ b/nixos/config/solitary/configuration.nix @@ -370,18 +370,12 @@ in { http-request cache-use default http-request set-header X-Forwarded-Proto %[ssl_fc,iif(https,http)] - acl no-coep res.hdr(Cross-Origin-Embedder-Policy) -m len 0 - acl no-coop res.hdr(Cross-Origin-Opener-Policy) -m len 0 - acl no-corp res.hdr(Cross-Origin-Resource-Policy) -m len 0 - acl no-csp res.hdr(Content-Security-Policy) -m len 0 - acl no-rp res.hdr(Referrer-Policy) -m len 0 - http-response set-header Alt-Svc "h3=\":443\"" - http-response set-header Cross-Origin-Embedder-Policy require-corp if no-coep - http-response set-header Cross-Origin-Opener-Policy same-origin if no-coop - http-response set-header Cross-Origin-Resource-Policy same-origin if no-corp - http-response set-header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'" if no-csp - http-response set-header Referrer-Policy same-origin if no-rp + http-response set-header Cross-Origin-Embedder-Policy require-corp unless { res.hdr(Cross-Origin-Embedder-Policy) -m found } + http-response set-header Cross-Origin-Opener-Policy same-site unless { res.hdr(Cross-Origin-Opener-Policy) -m found } + http-response set-header Cross-Origin-Resource-Policy same-site unless { res.hdr(Cross-Origin-Resource-Policy) -m found } + http-response set-header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'" unless { res.hdr(Content-Security-Policy) -m found } + http-response set-header Referrer-Policy same-origin unless { res.hdr(Referrer-Policy) -m found } http-response set-header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" http-response set-header X-Frame-Options DENY http-response set-header X-Content-Type-Options nosniff