add security headers

Author: cristiano cardelli

build/docker/nginx/default.conf

@@ -17,6 +17,10 @@ http {
                        '"$http_user_agent" "$http_x_forwarded_for"';
     access_log    /var/log/nginx/access.log main;
     add_header    X-Frame-Options SAMEORIGIN;
+    add_header    X-Content-Type-Options nosniff;
+    add_header    X-XSS-Protection "1; mode=block";
+    add_header    Referrer-Policy "strict-origin-when-cross-origin";
+    add_header    Permissions-Policy "geolocation=(), microphone=(), camera=()";
 
     client_body_temp_path  /var/cache/nginx/client_temp;
     proxy_temp_path        /var/cache/nginx/proxy_temp;

config/wp-config.php

@@ -133,9 +133,19 @@
  * More info at: https://docs.bitnami.com/general/apps/wordpress/troubleshooting/xmlrpc-and-pingback/
  */
 if (!defined('WP_CLI')) {
-  // remove x-pingback HTTP header
+  // remove x-pingback and add security headers
   add_filter("wp_headers", function ($headers) {
     unset($headers["X-Pingback"]);
+
+    $headers["X-Content-Type-Options"]       = "nosniff";
+    $headers["X-XSS-Protection"]            = "1; mode=block";
+    $headers["Referrer-Policy"]              = "strict-origin-when-cross-origin";
+    $headers["Permissions-Policy"]          = "geolocation=(), microphone=(), camera=()";
+
+    if (function_exists("is_ssl") && is_ssl()) {
+      $headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains";
+    }
+
     return $headers;
   });
   // disable pingbacks