diff --git a/frontend/nginx.conf b/frontend/nginx.conf index 84db185..9be4abb 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -10,6 +10,28 @@ server { gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss image/svg+xml; + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # Block access to sensitive files and directories + location ~ /\. { + deny all; + return 404; + } + + location ~ \.(env|git|gitignore|dockerignore)$ { + deny all; + return 404; + } + + location ~ ^/(node_modules|\.git|\.vscode|package\.json|package-lock\.json|vite\.config|tsconfig\.json)/? { + deny all; + return 404; + } + # SPA fallback - serve index.html for all non-file routes location / { try_files $uri $uri/ /index.html; diff --git a/nginx/conf.d.prod/default.conf b/nginx/conf.d.prod/default.conf index d3a56f0..01f84c9 100644 --- a/nginx/conf.d.prod/default.conf +++ b/nginx/conf.d.prod/default.conf @@ -12,6 +12,45 @@ server { client_max_body_size 500M; + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; + + # Strict Content Security Policy for production + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';" always; + + # Block access to sensitive files and directories + location ~ /\. { + deny all; + access_log off; + log_not_found off; + return 404; + } + + location ~ \.(env|git|gitignore|dockerignore|htaccess|htpasswd)$ { + deny all; + access_log off; + log_not_found off; + return 404; + } + + location ~ ^/(node_modules|\.git|\.vscode|\.idea|docker-compose|Dockerfile|package\.json|package-lock\.json|yarn\.lock|pnpm-lock\.yaml|\.npmrc|\.yarnrc|tsconfig\.json|\.eslintrc|\.prettierrc|prisma|\.env.*|\.db|\.sqlite|\.sql|backup|backups|dumps|logs)/? { + deny all; + access_log off; + log_not_found off; + return 404; + } + + location ~ \.(bak|backup|swp|tmp|old|orig|save|~)$ { + deny all; + access_log off; + log_not_found off; + return 404; + } + # Frontend - Static files served by nginx location / { proxy_pass http://frontend; diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf index 037b962..85ca865 100644 --- a/nginx/conf.d/default.conf +++ b/nginx/conf.d/default.conf @@ -22,6 +22,35 @@ server { # Content Security Policy (permissive for dev, tighten for production) add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self';" always; + # Block access to sensitive files and directories + location ~ /\. { + deny all; + access_log off; + log_not_found off; + return 404; + } + + location ~ \.(env|git|gitignore|dockerignore|htaccess|htpasswd)$ { + deny all; + access_log off; + log_not_found off; + return 404; + } + + location ~ ^/(node_modules|\.git|\.vscode|\.idea|docker-compose|Dockerfile|package\.json|package-lock\.json|yarn\.lock|pnpm-lock\.yaml|\.npmrc|\.yarnrc|tsconfig\.json|\.eslintrc|\.prettierrc|prisma|\.env.*|\.db|\.sqlite|\.sql|backup|backups|dumps|logs)/? { + deny all; + access_log off; + log_not_found off; + return 404; + } + + location ~ \.(bak|backup|swp|tmp|old|orig|save|~)$ { + deny all; + access_log off; + log_not_found off; + return 404; + } + # Frontend - Vite Dev Server location / { proxy_pass http://frontend;