From d2b515ff31d498733cb524ec2408d9373cd5f3bf Mon Sep 17 00:00:00 2001 From: Brian Telnes Date: Wed, 18 Apr 2018 17:45:24 +0000 Subject: [PATCH] All web pages that contain user-controllable content must opt-out of automatic MIME sniffing --- .../nginx/templates/edx/app/nginx/sites-available/cms.j2 | 5 ++++- .../nginx/templates/edx/app/nginx/sites-available/lms.j2 | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 index 9633f484c7b..a3916ff20bf 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2 @@ -42,9 +42,12 @@ error_page {{ k }} {{ v }}; {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains"; {% endif %} + # prevent the browser from doing MIME-type sniffing + add_header X-Content-Type-Options nosniff; + # Prevent invalid display courseware in IE 10+ with high privacy settings add_header P3P '{{ NGINX_P3P_MESSAGE }}'; diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 index fb201a72b75..c4af2c711cd 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 @@ -90,9 +90,12 @@ error_page {{ k }} {{ v }}; {% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %} # request the browser to use SSL for all connections - add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}"; + add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains"; {% endif %} + # prevent the browser from doing MIME-type sniffing + add_header X-Content-Type-Options nosniff; + # Prevent invalid display courseware in IE 10+ with high privacy settings add_header P3P '{{ NGINX_P3P_MESSAGE }}';