From 72edab5e1977a568bff8c56a62a2925751101f3b Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Tue, 20 May 2025 23:15:13 -0400
Subject: [PATCH] Infini-DL360/web: add website security headers

---
 hosts/Infini-DL360/web.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hosts/Infini-DL360/web.nix b/hosts/Infini-DL360/web.nix
index 6060b2b..49d2c47 100644
--- a/hosts/Infini-DL360/web.nix
+++ b/hosts/Infini-DL360/web.nix
@@ -17,6 +17,9 @@ let
     location = /template.html { deny all; }
     location ~* "\.(nix|lock)" { deny all; }
     location ~ "/\..+" { deny all; }
+
+    add_header Content-Security-Policy "default-src 'self' inx.moe files.inx.moe; frame-ancestors 'self' https://inx.moe; script-src 'self' inx.moe files.inx.moe storage.ko-fi.com; frame-src 'self' inx.moe files.inx.moe github.com;";
+    add_header X-Content-Type-Options "nosniff;";
   '';
 
   mkRedirect = to: ssl-optional // { globalRedirect = to; };
@@ -36,7 +39,11 @@ in
       locations."/" = {
         root = "/srv/web/inx.moe/out"; # TODO: Make this less volatile
         inherit tryFiles;
-        extraConfig = websiteConfig;
+        extraConfig =
+          websiteConfig
+          + ''
+            add_header Strict-Transport-Security "max-age=2592000;";
+          '';
       };
     };
     "nitter.inx.moe" = mkRedirect "twitter.com";