-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
46 lines (40 loc) · 1.51 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
index index.html;
# Security headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://*.supabase.co https://api.openai.com;" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";
# Prevent access to hidden files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location / {
try_files $uri $uri/ /index.html;
expires -1;
# Enable compression
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
}
# Cache static assets
location /assets {
expires 1y;
add_header Cache-Control "public, no-transform";
access_log off;
}
# Deny access to sensitive files
location ~ \.(env|log|git|yml|yaml|xml|ini|json)$ {
deny all;
}
}