justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/infra/ansible/roles/nginx/templates/pw-security.conf.j2
justin f8cd37ac8c Initial commit — Performance West telecom compliance platform 
Includes: API (Express/TypeScript), Astro site, Python workers,
document generators, FCC compliance tools, Canada CRTC formation,
Ansible infrastructure, and deployment scripts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-27 06:54:22 -05:00

48 lines
1 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
# Shared security snippet - included by all server blocks
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Block common attack paths
location ~* \.(php|asp|aspx|cgi|pl)$ {
return 444;
}
location ~* /(wp-admin|wp-login|wp-content|wp-includes|wordpress) {
return 444;
}
location ~ /\.git {
return 444;
}
location ~ /\.env {
return 444;
}
location ~ /\.ht {
return 444;
}
location ~* /(phpmyadmin|pma|myadmin|mysql|adminer) {
return 444;
}
location ~* /(admin|administrator|login\.action|struts) {
return 444;
}
# Block hidden files and directories (except .well-known)
location ~ /\.(?!well-known) {
return 444;
}
# Block backup and config files
location ~* \.(bak|config|sql|fla|ini|log|sh|inc|swp|dist|old|save)$ {
return 444;
}
Reference in a new issue View git blame Copy permalink