From 05a2f0a80f397a59ac37a62171e6b04fa1690548 Mon Sep 17 00:00:00 2001
From: Ahwx <ahwx@ahwx.org>
Date: Tue, 16 Jul 2024 20:58:08 +0200
Subject: [PATCH] fix: comply with hsts

---
 modules/services/matrix/default.nix | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix
index 6f8cb75..1454b40 100644
--- a/modules/services/matrix/default.nix
+++ b/modules/services/matrix/default.nix
@@ -31,6 +31,32 @@ in {
       recommendedOptimisation = true;
       recommendedGzipSettings = true;
       recommendedProxySettings = true;
+
+      # Hardened TLS and HSTS preloading
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Do not add HSTS header to HTTP requests.
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      '';
+
       virtualHosts = {
         # If the A and AAAA DNS records on example.org do not point on the same host as the
         # records for myhostname.example.org, you can easily move the /.well-known