feat: enhance sanitization

2026-04-17 23:40:24 +05:30
parent d92ee1a003
commit b4779bb49b
35 changed files with 2703 additions and 1240 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -12,7 +12,7 @@ http {
    default_type application/octet-stream;

    gzip_static on;
-    
+
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
@@ -27,27 +27,20 @@ http {
        index index.html;
        absolute_redirect off;

+        include /etc/nginx/security-headers.conf;
+
        location ~ ^/(en|ar|be|da|de|es|fr|id|it|ko|nl|pt|ru|sv|tr|vi|zh|zh-TW)(/.*)?$ {
            try_files $uri $uri/ $uri.html /$1/index.html /index.html;
            expires 5m;
-            add_header Cache-Control "public, must-revalidate";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
        }

        location ~ ^/(.+?)/(en|ar|be|da|de|es|fr|id|it|ko|nl|pt|ru|sv|tr|vi|zh|zh-TW)(/.*)?$ {
            try_files $uri $uri/ $uri.html /$1/$2/index.html /$1/index.html /index.html;
            expires 5m;
-            add_header Cache-Control "public, must-revalidate";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
        }

        location ~* \.html$ {
            expires 1h;
-            add_header Cache-Control "public, must-revalidate";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
        }

        location ~* /libreoffice-wasm/soffice\.wasm\.gz$ {
@@ -55,9 +48,8 @@ http {
            types {} default_type application/wasm;
            add_header Content-Encoding gzip;
            add_header Vary "Accept-Encoding";
-            add_header Cache-Control "public, immutable";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
+            include /etc/nginx/security-headers.conf;
+            expires 1y;
        }

        location ~* /libreoffice-wasm/soffice\.data\.gz$ {
@@ -65,38 +57,28 @@ http {
            types {} default_type application/octet-stream;
            add_header Content-Encoding gzip;
            add_header Vary "Accept-Encoding";
-            add_header Cache-Control "public, immutable";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
+            include /etc/nginx/security-headers.conf;
+            expires 1y;
        }

        location ~* \.(wasm|wasm\.gz|data|data\.gz)$ {
            expires 1y;
-            add_header Cache-Control "public, immutable";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
        }

        location ~* \.(js|mjs|css|woff|woff2|ttf|eot|otf)$ {
            expires 1y;
-            add_header Cache-Control "public, immutable";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
        }

        location ~* \.(png|jpg|jpeg|gif|ico|svg|webp|avif|mp4|webm)$ {
            expires 1y;
-            add_header Cache-Control "public, immutable";
        }

        location ~* \.json$ {
            expires 1w;
-            add_header Cache-Control "public, must-revalidate";
        }

        location ~* \.pdf$ {
            expires 1y;
-            add_header Cache-Control "public, immutable";
        }

        error_page 404 /404.html;
@@ -104,16 +86,6 @@ http {
        location / {
            try_files $uri $uri/ $uri.html =404;
            expires 5m;
-            add_header Cache-Control "public, must-revalidate";
-            add_header Cross-Origin-Embedder-Policy "require-corp" always;
-            add_header Cross-Origin-Opener-Policy "same-origin" always;
        }
-
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header Cross-Origin-Opener-Policy "same-origin" always;
-        add_header Cross-Origin-Embedder-Policy "require-corp" always;
-        add_header Cross-Origin-Resource-Policy "cross-origin" always;
    }
 }