feat: Phase 6 — nginx security headers, CSP hardening, rate limiting

- CSP: removed unsafe-eval, tightened frame-src to self + host ports,
  added frame-ancestors, base-uri, form-action directives
- X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies
- HSTS: max-age=31536000; includeSubDomains on all server blocks
- Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone
- Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-18 00:57:16 +00:00
parent 3418c273d4
commit 022e7e484a
4 changed files with 86 additions and 10 deletions

View File

@@ -22,6 +22,7 @@ server {
proxy_ssl_server_name on;
proxy_ssl_name botfights.net;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
@@ -49,6 +50,7 @@ server {
proxy_ssl_server_name on;
proxy_ssl_name 484.kitchen;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
@@ -76,6 +78,7 @@ server {
proxy_ssl_server_name on;
proxy_ssl_name present.l484.com;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;