Update docker/resume/nginx.conf

docker/resume/nginx.conf

@@ -1,53 +1,38 @@
-# Use $request_id as a pseudo-nonce for Content Security Policy (CSP)
+:8080 {
-map $request_id $nonce {
+    root * .
-    default "$request_id";
+    file_server
-}
+    encode gzip
-
-server {
-    listen 8080;
-    root /usr/share/nginx/html;
-    index resume.html;
 
     # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    header {
-    add_header X-Frame-Options "SAMEORIGIN" always;
+        # HSTS
-    add_header X-Content-Type-Options "nosniff" always;
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()" always;
         
-    # Updated Content Security Policy (CSP) with 'unsafe-inline' temporarily for style-src
+        # Basic security headers
-    add_header Content-Security-Policy "
+        X-Frame-Options "SAMEORIGIN"
-        default-src 'none';
+        X-Content-Type-Options "nosniff"
-        script-src 'self' 'nonce-$nonce' https://matomo.nixc.us https://gist.github.com https://assets-cdn.github.com;
+        Referrer-Policy "strict-origin-when-cross-origin"
-        style-src 'self' 'nonce-$nonce' https://colinknapp.com https://getbootstrap.com https://fonts.googleapis.com 'unsafe-inline';
-        img-src 'self' https://matomo.nixc.us https://colinknapp.com https://hedgedoc.nixc.us https://assets-cdn.github.com https://github.com https://forkaweso.me https://ionicons.com https://twitter.com data:;
-        font-src 'self' https://fonts.gstatic.com https://github.com https://forkaweso.me data:;
-        connect-src 'self' https://matomo.nixc.us;
-        frame-ancestors 'self';
-        base-uri 'self';
-        form-action 'self';
-    " always;
         
-    # Cross-origin isolation headers
+        # Permissions policy
-    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+        Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()"
-    add_header Cross-Origin-Resource-Policy "same-origin" always;
-    add_header Cross-Origin-Opener-Policy "same-origin" always;
         
-    # Apply CORP header for the apple-touch-icon to allow cross-origin access
+        # Cross-origin isolation headers
-    location /icons/apple-touch-icon.png {
+        Cross-Origin-Embedder-Policy "require-corp"
-        add_header Cross-Origin-Resource-Policy "cross-origin";
+        Cross-Origin-Resource-Policy "same-origin"
+        Cross-Origin-Opener-Policy "same-origin"
+        
+        # Simplified CSP for static content
+        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; base-uri 'self'; form-action 'self'"
     }
 
-    # Use sub_filter to inject the nonce into inline <script> and <style> tags automatically
+    # Handle 404s
-    sub_filter '<script>' '<script nonce="$nonce">';
+    handle_errors {
-    sub_filter '<style>' '<style nonce="$nonce">';
+        respond "{err.status_code} {err.status_text}"
-    sub_filter_once off;
+    }
-    sub_filter_types text/html;
 
-    # Redirect demo.hedgedoc.org resources to hedgedoc.nixc.us
+    # Logging
-    sub_filter "https://demo.hedgedoc.org" "https://hedgedoc.nixc.us";
+    log {
-
+        output stdout
-    location / {
+        format json
-        try_files $uri $uri/ =404;
     }
 }