[WP] Add CSP and Content-Type-Options headers

We do this more reliably on HAProxy, as doing it from WP requires
specialised plugins and in DD we are sure that traffic goes through
the corresponding HAProxy backend.
GON-3874-DD-moodle
Evilham 2022-12-02 11:13:33 +01:00
parent 08ed2bb1bb
commit 740f799b9c
No known key found for this signature in database
GPG Key ID: AE3EE30D970886BF
2 changed files with 6 additions and 3 deletions

View File

@ -48,9 +48,9 @@ backend be_oof
backend be_wp backend be_wp
mode http mode http
# Add security headers here, as WP is a tad of a pain to setup
http-request set-header X-SSL %[ssl_fc] http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data: *; style-src 'self' 'unsafe-inline' data: fonts.googleapis.com maxcdn.bootstrapcdn.com; font-src 'self' data: fonts.gstatic.com maxcdn.bootstrapcdn.com"
http-request set-header X-Forwarded-Proto https http-response set-header X-Content-Type-Options "nosniff"
server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
# #
# END: backends.cnf # END: backends.cnf

View File

@ -12,6 +12,9 @@
http-request del-header X-Forwarded-Proto http-request del-header X-Forwarded-Proto
# But add our forwarding headers instead # But add our forwarding headers instead
option forwardfor option forwardfor
# We are always doing TLS, except for redirections
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-Forwarded-Proto https
# New line to test URI to see if its a letsencrypt request # New line to test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ acl letsencrypt-acl path_beg /.well-known/acme-challenge/