server { listen 8080; root /usr/share/nginx/html; index resume.html; # Add HSTS header with preload directive add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Other security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()" always; # Set up CSP with specific script URLs and nonce set $nonce $request_id; add_header Content-Security-Policy " default-src 'none'; script-src 'self' 'nonce-$nonce' https://matomo.nixc.us/js/tracker.js https://colinknapp.com/scripts/some-script.js; style-src 'self' 'nonce-$nonce' https://colinknapp.com/styles/main.css; img-src 'self' https://matomo.nixc.us/images/ https://colinknapp.com/icons/; connect-src 'self' https://matomo.nixc.us; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; "; # Basic location block location / { try_files $uri $uri/ =404; } }