WIP

MarceloRGonc · MarceloRGonc · commit 0aa69dac18ec · 2026-04-16T17:50:48.000+01:00
diff --git a/deploy/docker-compose/nginx.gateway.routing.template b/deploy/docker-compose/nginx.gateway.routing.template
@@ -4,15 +4,24 @@ client_max_body_size 10m;
 client_body_buffer_size 1K;
 client_header_buffer_size 1k;
 large_client_header_buffers 4 16k;
-add_header Referrer-Policy "no-referrer-when-downgrade";
+
 add_header X-Content-Type-Options "nosniff" always;
-add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always;
+add_header Referrer-Policy "no-referrer-when-downgrade";
 add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+add_header Content-Security-Policy "
+  default-src 'self';
+  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net;
+  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+  font-src 'self' https://fonts.gstatic.com https://fonts.cdnfonts.com;
+  img-src 'self' data: blob:;
+  connect-src 'self' https://api.github.com https://*.openops.com;
+  frame-ancestors 'none';
+" always;
+
 ssi off;
 server_tokens off;
 
 location / {
-    add_header X-Frame-Options DENY;
     proxy_pass http://openops-app;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
@@ -65,7 +74,6 @@ location /openops-tables {
 }
 
 location ~ ^/api/v1/webhooks/[^/]+/sync$ {
-    add_header X-Frame-Options DENY;
     proxy_pass http://openops-app;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
diff --git a/deploy/docker-compose/nginx.gateway.tls.conf b/deploy/docker-compose/nginx.gateway.tls.conf
@@ -23,10 +23,6 @@ server {
     ssl_session_cache shared:MozSSL:10m;
 
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
-    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always;
 
     include /etc/nginx/conf.d/gateway.routing;
 }

Original file line number	Diff line number	Diff line change
`@@ -23,10 +23,6 @@ server {`
`23`	`23`	`ssl_session_cache shared:MozSSL:10m;`
`24`	`24`
`25`	`25`	`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
`26`		`-`
`27`		`- add_header X-Content-Type-Options "nosniff" always;`
`28`		`- add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;`
`29`		`- add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always;`
`30`	`26`
`31`	`27`	`include /etc/nginx/conf.d/gateway.routing;`
`32`	`28`	`}`