fix: CSP headers (#144)

SaeeDawod · saeeddawod · web-flow · commit bbeadb01a67f · 2025-02-06T06:23:03.000+01:00
- ID: 5571419 (Clickjacking protection)
- ID: 5571420 (CSP implementation)

## Summary by Sourcery

Add security headers to Nginx configuration.

Bug Fixes:
- Addressed clickjacking vulnerability by adding `X-Frame-Options: DENY`
header.
- Implemented Content Security Policy (CSP) to mitigate XSS attacks.

Enhancements:
- Added `X-Content-Type-Options`, `Referrer-Policy` for improved
security.

Co-authored-by: saeeddawod &lt;saeed.dawod@gmail.com&gt;
diff --git a/nginx.conf b/nginx.conf
@@ -49,5 +49,11 @@ http {
 
     #gzip  on;
 
+    # Add security headers
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://*.settlemint.com; frame-ancestors 'none'; object-src 'none'" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
     include /etc/nginx/conf.d/*.conf;
 }
