# {{ ansible_managed }}
# Shared security snippet - included by all server blocks

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

# Block common attack paths
location ~* \.(php|asp|aspx|cgi|pl)$ {
    return 444;
}

location ~* /(wp-admin|wp-login|wp-content|wp-includes|wordpress) {
    return 444;
}

location ~ /\.git {
    return 444;
}

location ~ /\.env {
    return 444;
}

location ~ /\.ht {
    return 444;
}

location ~* /(phpmyadmin|pma|myadmin|mysql|adminer) {
    return 444;
}

location ~* /(admin|administrator|login\.action|struts) {
    return 444;
}

# Block hidden files and directories (except .well-known)
location ~ /\.(?!well-known) {
    return 444;
}

# Block backup and config files
location ~* \.(bak|config|sql|fla|ini|log|sh|inc|swp|dist|old|save)$ {
    return 444;
}