move CSP headers to private file as they are dangerous to copy

paskal · Feb 8, 2024 · 6275061 · 6275061
1 parent 139215f
commit 6275061
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/config/nginx/security_headers.conf b/config/nginx/security_headers.conf
@@ -16,6 +16,5 @@ add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; prelo
 # for the sake of better benchmark score
 add_header Referrer-Policy same-origin;
 
-# CSP header, built with https://addons.mozilla.org/en/firefox/addon/laboratory-by-mozilla/
-add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://stat1.clickfraud.ru/matomo.php https://rcv3.clickfraud.ru/calc13.php https://*.google.com https://*.google.ru https://analytics.bitrix.info https://api.clickfraud.dev https://fs-group.bitrix24.ru https://mc.yandex.com/ https://mc.yandex.md/ https://mc.yandex.ru/ https://ymetrica1.com/watch/ https://sovetnik.market.yandex.ru/ab-front https://stats.g.doubleclick.net; font-src 'self' data: https://fonts.bitrix24.ru https://yastatic.net https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru; frame-src 'self' https://yandex.ru https://mc.yandex.ru https://www.yandex.ru https://www.google.com https://www.youtube.com/embed/ https://www.1tv.ru/embed/ https://static.1tv.ru/eump/embeds/; img-src 'self' data: blob: https://*.google.ru https://www.googletagmanager.com https://*.yandex.com https://*.yandex.net https://*.yandex.ru https://yandex.ru/clck/counter/ https://counter.yadro.ru https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru https://favor-group.ru/bitrix/spread.php; script-src 'self' 'report-sample' 'unsafe-inline' 'unsafe-eval' https://*.clickfraud.ru https://cdn-ru.bitrix24.ru https://cdn.jsdelivr.net/npm/ https://cdnjs.cloudflare.com/ajax/libs/ https://api-maps.yandex.ru/ https://core-renderer-tiles.maps.yandex.net https://dct.mango-office.ru https://enterprise.api-maps.yandex.ru/ https://fs-group.bitrix24.ru/bitrix/js/crm/site/form/dist/ https://mc.yandex.ru/metrika/tag.js https://mc.yandex.com/metrika/ https://mc.yandex.ru/watch/ https://ymetrica1.com/watch/ https://widgets.mango-office.ru/widgets/ https://www.google.com/recaptcha/ https://www.googletagmanager.com/gtm.js https://www.googletagmanager.com/gtag/js https://www.gstatic.com/recaptcha/ https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru https://yastatic.net/share2/share.js https://yastatic.net/s3/front-maps-static/ https://yandex.ru https://mc.yandex.com/watch/; style-src 'self' 'report-sample' 'unsafe-inline' https://fonts.googleapis.com/css https://fonts.bitrix24.ru/css https://fs-group.bitrix24.ru/bitrix/js/crm/site/form/dist/ https://dev.cdn-favor-group.ru https://static.cdn-favor-group.ru; manifest-src 'self'; media-src 'none'; object-src 'none'; child-src https://www.google.com https://yandex.ru; worker-src 'none'; frame-ancestors 'self'; form-action 'self'; base-uri 'none'; script-src-attr 'unsafe-inline'; style-src-attr 'unsafe-inline'; report-uri https://o4506532003840000.ingest.sentry.io/api/4506532009738240/security/?sentry_key=ef58566724eba7c9be0cf1a7fa561953" always;
-add_header Report-To '{\"group\":\"default\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"https://o4506532003840000.ingest.sentry.io/api/4506532009738240/security/?sentry_key=ef58566724eba7c9be0cf1a7fa561953\"}],\"include_subdomains\":true}';
+# CSP headers, too dangerous to include to the code someone will copy and run
+include /etc/nginx/private.conf.d/*.conf;
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -64,6 +64,7 @@ services:
       - ./config/nginx/security_headers.conf:/etc/nginx/security_headers.conf:ro
       - ./config/nginx/static-cdn.conf:/etc/nginx/static-cdn.conf:ro
       - ./config/nginx/conf.d:/etc/nginx/conf.d:ro
+      - ./private/nginx:/etc/nginx/private.conf.d:ro
       - ./private/letsencrypt:/etc/nginx/letsencrypt:ro
       # Logs
       - ./logs/nginx:/var/log/nginx