Add security headers to the roundcube nginx template

Issue #141 new
Former user created an issue

location ~ ^/mail/(.*.php)$ { include /etc/nginx/templates/hsts.tmpl; include /etc/nginx/templates/fastcgi_php.tmpl; fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail/$1;

add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;

}

location ~ ^/mail/(.*) { alias /opt/www/roundcubemail/$1; index index.php;

add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin;

}

With these added it goes from a D rating to an A rating on securityheaders.com

This is what we should have as part of the template by default and we do not need to worry about the x-frame-options as that is set in the code of roundcube all sites should have these

Comments (1)

  1. Log in to comment