Sargeanthost · March 7, 2021 22:22 · Mar 7, 2021
diff --git a/options-ssl-nginx.conf b/options-ssl-nginx.conf
@@ -0,0 +1,19 @@
+ssl_session_cache shared:le_nginx_SSL:1m;
+ssl_session_timeout 1d;
+ssl_session_tickets off;
+
+#important
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve  secp384r1;
+
+add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
+#Too many plugins and different things to put shas for each, yet not sure how to make nonces with wordpress. Using "unsafe-..." is highly discouraged.
+#Also, you cannot seperate this into a multi-line header as that was deprecated and is no longer supported. If you notice things are broken after adding this header, look in the console and add what it needs.
+add_header Content-Security-Policy "default-src 'self' https://maps.google.com/ https://www.google.com/ https://yoast.com/; frame-ancestors 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ https://www.google.com/ https://www.gstatic.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://secure.gravatar.com https://ps.w.org/ https://cdn.shortpixel.ai/; font-src 'self' data: https://fonts.gstatic.com;";
+add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
+add_header Permissions-Policy "accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), sync-xhr=(), usb=()";
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
No results found