From 4b9c57d1e469b00674bc8b075dc2bcce2979395c Mon Sep 17 00:00:00 2001
From: Kaloyan Nikolov <tzerber@gmail.com>
Date: Thu, 18 Apr 2024 18:33:39 +0300
Subject: [PATCH] Add missing headers to fpm config

Signed-off-by: Kaloyan Nikolov <tzerber@gmail.com>
---
 .../docker-compose/insecure/mariadb/fpm/web/nginx.conf      | 6 ++++++
 .../docker-compose/insecure/postgres/fpm/web/nginx.conf     | 6 ++++++
 .../with-nginx-proxy/mariadb/fpm/web/nginx.conf             | 6 ++++++
 .../with-nginx-proxy/postgres/fpm/web/nginx.conf            | 6 ++++++
 4 files changed, 24 insertions(+)

diff --git a/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf b/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
index e486b881..c7dcbc95 100644
--- a/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
+++ b/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
@@ -166,6 +166,12 @@ http {
         location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
             access_log off;     # Optional: Don't log access to assets
 
             location ~ \.wasm$ {
diff --git a/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf b/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf
index e486b881..c7dcbc95 100644
--- a/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf
+++ b/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf
@@ -166,6 +166,12 @@ http {
         location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
             access_log off;     # Optional: Don't log access to assets
 
             location ~ \.wasm$ {
diff --git a/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf b/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
index f69ddc5e..f574bde0 100644
--- a/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
+++ b/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
@@ -166,6 +166,12 @@ http {
         location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
             access_log off;     # Optional: Don't log access to assets
 
             location ~ \.wasm$ {
diff --git a/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf b/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
index c1e11d93..dccb37f6 100644
--- a/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
+++ b/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
@@ -166,6 +166,12 @@ http {
         location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
             access_log off;     # Optional: Don't log access to assets
 
             location ~ \.wasm$ {