Web security enhancements

* new dependency: libnginx-mod-http-headers-more-filter
* security headers in _general.conf (inherited to all vhosts)
* scheme-dependent Strict-Transport-Security header in nginx.conf

.templates/nginx/.nginx/_general.conf

@@ -1,14 +1,29 @@
 # NGINX general configuration for Docker services.
+# Uses ngx_http_headers_more_filter_module to inherit the security headers.
+# Note, this is not a really restrictive policy!
+# Feel free to customize the particular vhost definitions.
 
 # Doesn't explore unnecessary info.
+#
 server_tokens off;
-# Depends on ngx_http_security_headers_module.so
-#hide_server_tokens on;
+
+# Security headers to achieve 'A' grade on https://securityheaders.com/
+# See e.g https://linuxcapable.com/how-to-configure-security-headers-in-nginx/
+# Depends on ngx_http_headers_more_filter_module.so
+#
+# These are valid restrictions below.
+more_set_headers "X-Frame-Options: SAMEORIGIN";
+more_set_headers "X-Content-Type-Options: nosniff";
+more_set_headers "Referrer-Policy: no-referrer-when-downgrade";
+# These are dummy restrictions (meaningless headers) below.
+more_set_headers "Content-Security-Policy: img-src *";
+more_set_headers "Permissions-Policy: geolocation=*";
 
 # https://amalgjose.com/2020/05/15/how-to-set-the-allowed-url-length-for-a-nginx-request-error-code-414-uri-too-large/
+#
 large_client_header_buffers 4 32k;
 
 # https://serverfault.com/questions/602201/nginx-possible-bug-with-dashes-in-server-name
 # https://trac.nginx.org/nginx/ticket/571
+#
 #server_names_hash_bucket_size 64;
-