# Use $request_id as a pseudo-nonce for Content Security Policy (CSP) map $request_id $nonce { default "$request_id"; } server { listen 8080; root /usr/share/nginx/html; index resume.html; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()" always; # Content Security Policy (CSP) with injected $nonce for script-src add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'nonce-$nonce' https://matomo.nixc.us; style-src 'self' 'unsafe-inline' https://colinknapp.com; img-src 'self' https://matomo.nixc.us https://colinknapp.com https://hedgedoc.nixc.us; font-src 'self' data:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always; # Cross-origin isolation headers add_header Cross-Origin-Embedder-Policy "require-corp" always; add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Opener-Policy "same-origin" always; # Subresource Integrity (SRI) requires modifying HTML for each script link to include integrity hashes # Set up sub_filter to add nonce to inline scripts sub_filter '