From be2d7e0d453fea9a4cc5b3c3d810b97be3605eaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= Date: Thu, 16 Apr 2026 14:06:39 +0100 Subject: [PATCH 1/6] Add http headers to nginx --- deploy/docker-compose/nginx.gateway.routing.template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/docker-compose/nginx.gateway.routing.template b/deploy/docker-compose/nginx.gateway.routing.template index 3d6ce84da3..dd61ac53a8 100644 --- a/deploy/docker-compose/nginx.gateway.routing.template +++ b/deploy/docker-compose/nginx.gateway.routing.template @@ -5,6 +5,9 @@ client_body_buffer_size 1K; client_header_buffer_size 1k; large_client_header_buffers 4 16k; add_header Referrer-Policy "no-referrer-when-downgrade"; +add_header X-Content-Type-Options "nosniff" always; +add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always; +add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; ssi off; server_tokens off; From 8b7f034696d76587fb18480355b05eedd6274915 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= Date: Thu, 16 Apr 2026 17:19:18 +0100 Subject: [PATCH 2/6] WIP --- deploy/docker-compose/nginx.gateway.tls.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deploy/docker-compose/nginx.gateway.tls.conf b/deploy/docker-compose/nginx.gateway.tls.conf index d39bc1b460..6002a2dc20 100644 --- a/deploy/docker-compose/nginx.gateway.tls.conf +++ b/deploy/docker-compose/nginx.gateway.tls.conf @@ -23,6 +23,10 @@ server { ssl_session_cache shared:MozSSL:10m; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + add_header X-Content-Type-Options "nosniff" always; + add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always; include /etc/nginx/conf.d/gateway.routing; } From 0aa69dac18ec8e74ce6c057bb35a8ae033e17a67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= Date: Thu, 16 Apr 2026 17:50:48 +0100 Subject: [PATCH 3/6] WIP --- .../nginx.gateway.routing.template | 16 ++++++++++++---- deploy/docker-compose/nginx.gateway.tls.conf | 4 ---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/deploy/docker-compose/nginx.gateway.routing.template b/deploy/docker-compose/nginx.gateway.routing.template index dd61ac53a8..5628828372 100644 --- a/deploy/docker-compose/nginx.gateway.routing.template +++ b/deploy/docker-compose/nginx.gateway.routing.template @@ -4,15 +4,24 @@ client_max_body_size 10m; client_body_buffer_size 1K; client_header_buffer_size 1k; large_client_header_buffers 4 16k; -add_header Referrer-Policy "no-referrer-when-downgrade"; + add_header X-Content-Type-Options "nosniff" always; -add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always; +add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; +add_header Content-Security-Policy " + default-src 'self'; + script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; + style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; + font-src 'self' https://fonts.gstatic.com https://fonts.cdnfonts.com; + img-src 'self' data: blob:; + connect-src 'self' https://api.github.com https://*.openops.com; + frame-ancestors 'none'; +" always; + ssi off; server_tokens off; location / { - add_header X-Frame-Options DENY; proxy_pass http://openops-app; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -65,7 +74,6 @@ location /openops-tables { } location ~ ^/api/v1/webhooks/[^/]+/sync$ { - add_header X-Frame-Options DENY; proxy_pass http://openops-app; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/deploy/docker-compose/nginx.gateway.tls.conf b/deploy/docker-compose/nginx.gateway.tls.conf index 6002a2dc20..d39bc1b460 100644 --- a/deploy/docker-compose/nginx.gateway.tls.conf +++ b/deploy/docker-compose/nginx.gateway.tls.conf @@ -23,10 +23,6 @@ server { ssl_session_cache shared:MozSSL:10m; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - add_header X-Content-Type-Options "nosniff" always; - add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; - add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always; include /etc/nginx/conf.d/gateway.routing; } From 1da78b7172b4c07ab98e830d24a75c1ca522ed86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= Date: Thu, 16 Apr 2026 17:57:32 +0100 Subject: [PATCH 4/6] WIP --- deploy/docker-compose/nginx.gateway.routing.template | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/docker-compose/nginx.gateway.routing.template b/deploy/docker-compose/nginx.gateway.routing.template index 5628828372..ffd76da517 100644 --- a/deploy/docker-compose/nginx.gateway.routing.template +++ b/deploy/docker-compose/nginx.gateway.routing.template @@ -5,6 +5,7 @@ client_body_buffer_size 1K; client_header_buffer_size 1k; large_client_header_buffers 4 16k; +add_header X-Frame-Options DENY; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; From 9d685e9eb2b0b272549b6afc0ba68bff65122207 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= Date: Thu, 16 Apr 2026 18:20:18 +0100 Subject: [PATCH 5/6] WIP --- deploy/docker-compose/nginx.gateway.routing.template | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/deploy/docker-compose/nginx.gateway.routing.template b/deploy/docker-compose/nginx.gateway.routing.template index ffd76da517..a253e84c41 100644 --- a/deploy/docker-compose/nginx.gateway.routing.template +++ b/deploy/docker-compose/nginx.gateway.routing.template @@ -9,15 +9,7 @@ add_header X-Frame-Options DENY; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; -add_header Content-Security-Policy " - default-src 'self'; - script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; - font-src 'self' https://fonts.gstatic.com https://fonts.cdnfonts.com; - img-src 'self' data: blob:; - connect-src 'self' https://api.github.com https://*.openops.com; - frame-ancestors 'none'; -" always; +add_header Content-Security-Policy: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://assets.frontegg.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always; ssi off; server_tokens off; From 524f60a3cc2c7cc7e9858e0074626bac8cf20552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= Date: Thu, 16 Apr 2026 20:11:26 +0100 Subject: [PATCH 6/6] WIP --- deploy/docker-compose/nginx.gateway.routing.template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/docker-compose/nginx.gateway.routing.template b/deploy/docker-compose/nginx.gateway.routing.template index a253e84c41..ea28240703 100644 --- a/deploy/docker-compose/nginx.gateway.routing.template +++ b/deploy/docker-compose/nginx.gateway.routing.template @@ -5,11 +5,11 @@ client_body_buffer_size 1K; client_header_buffer_size 1k; large_client_header_buffers 4 16k; -add_header X-Frame-Options DENY; +add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; -add_header Content-Security-Policy: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://assets.frontegg.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always; +add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net" always; ssi off; server_tokens off;