CU-cwkb6h Updates from Mozilla Observatory scan

ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2

@@ -7,38 +7,42 @@ server {
   listen [::]:443 ssl http2;
   server_name {{ ci_server_name }};
 
-  add_header              Strict-Transport-Security max-age=6307200;
-  add_header              Allow "GET, POST, HEAD" always;
-
-  #limit_except GET POST { deny all; }
-
   ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
   ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
   ssl_dhparam             /etc/ssl/certs/dhparam.pem;
 
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 1d;
-  ssl_session_tickets off;
-  ssl_stapling on;
-  ssl_stapling_verify on;
-
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
   ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
 
   location / {
     modsecurity on;
     modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
 
+    add_header Allow                     "GET, POST, HEAD"                                                                                                                                                                        always;
+    add_header Content-Security-Policy   "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    # Sent from upstream:
+    # add_header X-Frame-Options           "SAMEORIGIN";
+    # add_header X-XSS-Protection          "1; mode=block";
+
+    proxy_set_header Host              $http_host;
     proxy_set_header X-Forwarded-For   $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Host              $http_host;
 
+    proxy_buffering    off;
+    proxy_http_version 1.1;
     proxy_pass         http://drone;
     proxy_redirect     off;
-    proxy_http_version 1.1;
-    proxy_buffering    off;
 
     chunked_transfer_encoding off;
   }