fix README
This commit is contained in:
bunkerity
parent
1b5f6deb22
commit
5d16f6a8f2
65
README.md
65
README.md
@ -25,7 +25,7 @@ docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -e SERVER_NAME=www.you
|
|||||||
|
|
||||||
Let's Encrypt needs port 80 to be open to request and sign certificates but nginx will only listen on port 443.
|
Let's Encrypt needs port 80 to be open to request and sign certificates but nginx will only listen on port 443.
|
||||||
|
|
||||||
## List of variables
|
## List of environment variables
|
||||||
|
|
||||||
### nginx security
|
### nginx security
|
||||||
*SERVER_TOKENS*
|
*SERVER_TOKENS*
|
||||||
@ -33,46 +33,57 @@ Values : on | off
|
|||||||
Default value : off
|
Default value : off
|
||||||
If set to on, nginx will display server version in Server header and default error pages.
|
If set to on, nginx will display server version in Server header and default error pages.
|
||||||
|
|
||||||
*HEADER_SERVER*
|
*HEADER_SERVER*
|
||||||
Values : yes | no
|
Values : yes | no
|
||||||
Default value : no
|
Default value : no
|
||||||
If set to no, nginx will remove the Server header in HTTP responses.
|
If set to no, nginx will remove the Server header in HTTP responses.
|
||||||
|
|
||||||
*ALLOWED_METHODS*
|
*ALLOWED_METHODS*
|
||||||
Values : allowed HTTP methods separated with | char
|
Values : allowed HTTP methods separated with | char
|
||||||
Default value : GET|POST|HEAD
|
Default value : GET|POST|HEAD
|
||||||
Only the HTTP methods listed here will be accepted by nginx. If not listed, nginx will close the connection.
|
Only the HTTP methods listed here will be accepted by nginx. If not listed, nginx will close the connection.
|
||||||
|
|
||||||
*DISABLE_DEFAULT_SERVER*
|
*DISABLE_DEFAULT_SERVER*
|
||||||
Values : yes | no
|
Values : yes | no
|
||||||
Default value : no
|
Default value : no
|
||||||
If set to yes, nginx will only respond to HTTP request when the Host header match the SERVER_NAME. For example, it will close the connection if a bot access the site with direct ip.
|
If set to yes, nginx will only respond to HTTP request when the Host header match the SERVER_NAME. For example, it will close the connection if a bot access the site with direct ip.
|
||||||
|
|
||||||
### Security headers
|
### Security headers
|
||||||
*X_FRAME_OPTIONS*
|
*X_FRAME_OPTIONS*
|
||||||
Values : DENY | SAMEORIGIN | ALLOW-FROM https://www.website.net | ALLOWALL
|
Values : DENY | SAMEORIGIN | ALLOW-FROM https://www.website.net | ALLOWALL
|
||||||
Default value : DENY
|
Default value : DENY
|
||||||
Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks.
|
Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks.
|
||||||
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
|
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
|
||||||
|
|
||||||
*X_XSS_PROTECTION*
|
*X_XSS_PROTECTION*
|
||||||
Values : 0 | 1 | 1; mode=block
|
Values : 0 | 1 | 1; mode=block
|
||||||
Default value : 1; mode=block
|
Default value : 1; mode=block
|
||||||
Policy to be used when XSS is detected by the browser. Only works with Internet Explorer.
|
Policy to be used when XSS is detected by the browser. Only works with Internet Explorer.
|
||||||
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
|
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
|
||||||
|
|
||||||
*X_CONTENT_TYPE_OPTIONS*
|
*X_CONTENT_TYPE_OPTIONS*
|
||||||
Values : nosniff
|
Values : nosniff
|
||||||
Default value : nosniff
|
Default value : nosniff
|
||||||
Tells the browser to be strict about MIME type.
|
Tells the browser to be strict about MIME type.
|
||||||
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options).
|
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options).
|
||||||
|
|
||||||
*REFERRER_POLICY*
|
*REFERRER_POLICY*
|
||||||
Values : no-referrer | no-referrer-when-downgrade | origin | origin-when-cross-origin | same-origin | strict-origin | strict-origin-when-cross-origin | unsafe-url
|
Values : no-referrer | no-referrer-when-downgrade | origin | origin-when-cross-origin | same-origin | strict-origin | strict-origin-when-cross-origin | unsafe-url
|
||||||
Default value : no-referrer
|
Default value : no-referrer
|
||||||
|
Policy to be used for the Referer header.
|
||||||
|
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
|
||||||
|
|
||||||
|
*FEATURE_POLICY*
|
||||||
|
Values : <directive> <allow list>
|
||||||
|
Default value : accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'
|
||||||
|
Tells the browser which features can be used on the website.
|
||||||
|
More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
|
||||||
|
|
||||||
*TODO : list variables, default value, explanation, ...*
|
*COOKIE_FLAGS*
|
||||||
|
Values : * HttpOnly | MyCookie secure SameSite | ...
|
||||||
|
Default value : * HttpOnly
|
||||||
|
Adds some security to the cookies set by the server.
|
||||||
|
Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
|
||||||
|
|
||||||
## TODO
|
## TODO
|
||||||
- File permissions hardening
|
- File permissions hardening
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user