Switch from location directives to maps based on MIME-types

* Expire * X-XSS-Protection * X-Frame-Options * X-UA-Compatible * Content-Security-Policy * Access-Control-Allow-Origin
h5bp · Feb 10, 2019 · 6dd4cc2 · 6dd4cc2
1 parent 2d13505
commit 6dd4cc2
Show file tree

Hide file tree

Showing 11 changed files with 148 additions and 102 deletions.
diff --git a/h5bp/basic.conf b/h5bp/basic.conf
@@ -3,5 +3,3 @@
 
 include h5bp/internet_explorer/x-ua-compatible.conf;
 include h5bp/location/security_file_access.conf;
-include h5bp/location/web_performance_cache_expiration.conf;
-include h5bp/location/cross-origin_web_fonts.conf;
diff --git a/h5bp/cross-origin/requests.conf b/h5bp/cross-origin/requests.conf
@@ -16,4 +16,4 @@
 # Allow access based on [sub]domain:
 #    add_header Access-Control-Allow-Origin "subdomain.example.com";
 
-add_header Access-Control-Allow-Origin "*";
+add_header Access-Control-Allow-Origin $cors;
diff --git a/h5bp/internet_explorer/x-ua-compatible.conf b/h5bp/internet_explorer/x-ua-compatible.conf
@@ -16,4 +16,4 @@
 # https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
 # https://msdn.microsoft.com/en-us/library/ff955275.aspx
 
-add_header X-UA-Compatible "IE=Edge";
+add_header X-UA-Compatible $x_ua_compatible;
diff --git a/h5bp/location/cross-origin_images.conf b/h5bp/location/cross-origin_images.conf
diff --git a/h5bp/location/cross-origin_web_fonts.conf b/h5bp/location/cross-origin_web_fonts.conf
diff --git a/h5bp/location/web_performance_cache_expiration.conf b/h5bp/location/web_performance_cache_expiration.conf
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
@@ -20,4 +20,4 @@
 # https://content-security-policy.com/
 # https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 
-add_header Content-Security-Policy "script-src 'self'; object-src 'self'" always;
+add_header Content-Security-Policy $content_security_policy always;
diff --git a/h5bp/security/x-frame-options.conf b/h5bp/security/x-frame-options.conf
@@ -33,4 +33,4 @@
 # https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
 # https://www.owasp.org/index.php/Clickjacking
 
-add_header X-Frame-Options DENY always;
+add_header X-Frame-Options $x_frame_options always;
diff --git a/h5bp/security/x-xss-protection.conf b/h5bp/security/x-xss-protection.conf
@@ -35,5 +35,4 @@
 # https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
 # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
 
-#                           (1)    (2)
-add_header X-XSS-Protection "1; mode=block" always;
+add_header X-XSS-Protection $x_xss_protection always;
diff --git a/h5bp/web_performance/cache_expiration.conf b/h5bp/web_performance/cache_expiration.conf
@@ -0,0 +1,88 @@
+# ----------------------------------------------------------------------
+# | Cache expiration                                                   |
+# ----------------------------------------------------------------------
+
+# Serve resources with far-future expiration date.
+#
+# (!) If you don't control versioning with filename-based
+# cache busting, you should consider lowering the cache times
+# to something like one week.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
+# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
+
+map $sent_http_content_type $expires {
+  default                               1M;
+
+  # CSS
+  text/css                              1y;
+
+  # Data interchange
+  application/atom+xml                  1h;
+  application/rdf+xml                   1h;
+  application/rss+xml                   1h;
+
+  application/json                      0;
+  application/ld+json                   0;
+  application/schema+json               0;
+  application/geo+json                  0;
+  application/xml                       0;
+  text/calendar                         0;
+  text/xml                              0;
+
+  # Favicon (cannot be renamed!) and cursor images
+  image/vnd.microsoft.icon              1w;
+  image/x-icon                          1w;
+
+  # HTML
+  text/html                             0;
+
+  # JavaScript
+  application/javascript                1y;
+  application/x-javascript              1y;
+  text/javascript                       1y;
+
+  # Manifest files
+  application/manifest+json             1w;
+  application/x-web-app-manifest+json   0;
+  text/cache-manifest                   0;
+
+
+  # Markdown
+  text/markdown                         0;
+
+  # Media files
+  audio/ogg                             1M;
+  image/bmp                             1M;
+  image/gif                             1M;
+  image/jpeg                            1M;
+  image/png                             1M;
+  image/svg+xml                         1M;
+  image/webp                            1M;
+  video/mp4                             1M;
+  video/ogg                             1M;
+  video/webm                            1M;
+
+  # WebAssembly
+  application/wasm                      1y;
+
+  # Web fonts
+  font/collection                       1M;
+  application/vnd.ms-fontobject         1M;
+  font/eot                              1M;
+  font/opentype                         1M;
+  font/otf                              1M;
+  application/x-font-ttf                1M;
+  font/ttf                              1M;
+  application/font-woff                 1M;
+  application/x-font-woff               1M;
+  font/woff                             1M;
+  application/font-woff2                1M;
+  font/woff2                            1M;
+
+  # Other
+  text/x-cross-domain-policy            1w;
+}
+
+expires $expires;
diff --git a/nginx.conf b/nginx.conf
@@ -93,6 +93,61 @@ http {
   # Enable gzip compression.
   include h5bp/web_performance/compression.conf;
 
+  # Specify file cache expiration.
+  include h5bp/web_performance/cache_expiration.conf;
+
+  # Add X-XSS-Protection for HTML documents.
+  # h5bp/security/x-xss-protection.conf
+  map $sent_http_content_type $x_xss_protection {
+    #         (1)    (2)
+    text/html "1; mode=block";
+  }
+
+  # Add X-Frame-Options for HTML documents.
+  # h5bp/security/x-frame-options.conf
+  map $sent_http_content_type $x_frame_options {
+    text/html DENY;
+  }
+
+  # Add Content-Security-Policy for HTML documents.
+  # h5bp/security/content-security-policy.conf
+  map $sent_http_content_type $content_security_policy {
+    text/html "script-src 'self'; object-src 'self'";
+  }
+
+  # Add X-UA-Compatible for HTML documents.
+  # h5bp/internet_explorer/x-ua-compatible.conf
+  map $sent_http_content_type $x_ua_compatible {
+    text/html "IE=edge";
+  }
+
+  # Add Access-Control-Allow-Origin.
+  # h5bp/cross-origin/requests.conf
+  map $sent_http_content_type $cors {
+    # Images
+    image/bmp     "*";
+    image/gif     "*";
+    image/jpeg    "*";
+    image/png     "*";
+    image/svg+xml "*";
+    image/webp    "*";
+    image/x-icon  "*";
+
+    # Web fonts
+    font/collection               "*";
+    application/vnd.ms-fontobject "*";
+    font/eot                      "*";
+    font/opentype                 "*";
+    font/otf                      "*";
+    application/x-font-ttf        "*";
+    font/ttf                      "*";
+    application/font-woff         "*";
+    application/x-font-woff       "*";
+    font/woff                     "*";
+    application/font-woff2        "*";
+    font/woff2                    "*";
+  }
+
   # Include files in the conf.d folder.
   # server{} configuration files should be placed in the conf.d folder.
   # The configurations should be disabled by prefixing files with a dot.