tests sécurisation headers

cdebarros · cdebarros · commit b8e800367d92 · 2025-07-24T15:46:53.000+02:00
diff --git a/.docker/nginx.apps.conf b/.docker/nginx.apps.conf
@@ -6,12 +6,15 @@ server {
         root   /usr/share/nginx/html;
 
         server_tokens off;
-        
+
         location ~ /index.html|.*\.toml|.*\.json$ {
           expires -1;
           add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
           add_header X-Frame-Options DENY;
           add_header X-Content-Type-Options nosniff;
+          add_header Referrer-Policy strict-origin;
+          add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()";
+          add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
         }
 
         location ~ .*\.css$|.*\.js$ {
@@ -26,8 +29,6 @@ server {
           try_files $uri $uri/ /index.html;
 
           add_header Cache-Control 'max-age=86400'; # 24h
-          add_header X-Frame-Options DENY;
-          add_header X-Content-Type-Options nosniff;
         }
 
         error_page   500 502 503 504  /50x.html;
