From caf60d32fb93d42dc36a723672eba77c848dc691 Mon Sep 17 00:00:00 2001
From: toufic ar <contact@toufy.me>
Date: Thu, 15 Jan 2026 00:48:13 +0200
Subject: [PATCH] a little nginx hardening

---
 config/http/captiveportal.nix | 7 +++++++
 config/http/default.nix       | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/config/http/captiveportal.nix b/config/http/captiveportal.nix
index 6483cb1..9f7f77a 100644
--- a/config/http/captiveportal.nix
+++ b/config/http/captiveportal.nix
@@ -2,6 +2,13 @@
   domain = config.customOps.domain;
 in {
   services.nginx.virtualHosts."cpcheck.${domain}" = {
+    extraConfig = ''
+      access_log off;
+      error_log off;
+
+      add_header Content-Security-Policy "default-src 'none'";
+      add_header 'Referrer-Policy' 'same-origin';
+    '';
     locations."/".return = 204;
     forceSSL = false;
     addSSL = true;
diff --git a/config/http/default.nix b/config/http/default.nix
index 8d5a48a..1753981 100644
--- a/config/http/default.nix
+++ b/config/http/default.nix
@@ -15,9 +15,17 @@ in {
     recommendedProxySettings = true;
     recommendedBrotliSettings = true;
 
+    appendHttpConfig = ''
+      add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
     virtualHosts.${customDomain} = {
+      default = true;
       root = "/var/www/${customDomain}";
       forceSSL = true;
       enableACME = true;