This is my report with haproxy instead of nginx, i guess i have to fix some stuff. However @pir8radio, would you mind doing this again so i can check if i set all the correct headers, also can you let me know what you set for the CSP
For other HAproxy users:
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-XSS-Protection "1;mode=block"
http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin"
http-response set-header X-Content-Type-Options nosniff
http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload
What i noticed is CORS differs as well
Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains
Yours, looks good, I actually stole some of your settings, and combined with mine.. I now have this:
same score as my initial test but hey...
add_header Content-Security-Policy "default-src 'self' https://*.mydomain.net wss://*.mysomain.net https://www.gstatic.com https://www.github.com; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'sha256-bdnU7HNzra4Qmlo30dpjygO1RLIIqRVu1wcOsl0OWqU=' https://*.mydomain.net https://www.gstatic.com; img-src data: https: ; style-src 'unsafe-inline' https://*.mydomain.net" always;
Edited by pir8radio, 17 August 2018 - 09:13 PM.