tests sécurisation headers

cdebarros · cdebarros · commit 68afb4940bb5 · 2025-07-24T18:22:24.000+02:00
diff --git a/.docker/nginx.apps.conf b/.docker/nginx.apps.conf
@@ -19,16 +19,31 @@ server {
 
         location ~ .*\.css$|.*\.js$ {
           add_header Cache-Control 'max-age=86400'; # 24h
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header Referrer-Policy strict-origin;
+          add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()";
+          add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
         }
 
         location ~ .*\.otf$|.*\.ttf$|.*\.woff2?$ {
           add_header Cache-Control 'max-age=31536000'; # 1year
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header Referrer-Policy strict-origin;
+          add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()";
+          add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
         }
 
         location / {
           try_files $uri $uri/ /index.html;
 
           add_header Cache-Control 'max-age=86400'; # 24h
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header Referrer-Policy strict-origin;
+          add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()";
+          add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
         }
 
         error_page   500 502 503 504  /50x.html;
