more secure headers and settings in nginx example config and remove some unnecessary inline css

5 years ago · 8f0e4b40ac
parent 1bb03ea6ff
commit 8f0e4b40ac
10 changed files with 38 additions and 18 deletions
--- a/configs/nginx.example
+++ b/configs/nginx.example
@ -5,8 +5,15 @@ upstream chan {
 server {

 	server_name domain.com www.domain.com;
+	server_tokens off;
+	error_page 404 = /home/tom/jschan/static/html/404.html;

-	error_page 404 = /path/to/jschan/static/html/404.html;
+	add_header Cache-Control "public";
+	add_header Content-Security-Policy "Content-Security-Policy: default-src 'none'; img-src 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'";
+	add_header Referrer-Policy "same-origin";
+	add_header X-Frame-Options "sameorigin";
+	add_header X-Content-Type-Options "nosniff";
+	add_header X-XSS-Protection "1; mode=block";

 	if ($request_uri ~ ^/(?!captcha|randombanner|forms|logout|socket\.io)) {
 		rewrite ^([^.\?]*[^/])$ $1/ redirect;
@ -22,7 +29,6 @@ server {
 	location = /favicon.ico {
 		access_log off;
 		expires max;
-		add_header Cache-Control "public";
 		root /path/to/jschan/static/img;
 		try_files $uri =404;
 	}
@ -74,7 +80,6 @@ server {
 	# HTML
 	location ~* \.html$ {
 		expires 0;
-		add_header Cache-Control "public";
 		root /path/to/jschan/static/html;
 		try_files $uri @backend;
 	}
@ -82,7 +87,6 @@ server {
 	# JSON
 	location ~* \.json$ {
 		expires 0;
-		add_header Cache-Control "public";
 		root /path/to/jschan/static/json;
 		try_files $uri =404;
 		#json doesnt hit backend if it doesnt exist yet.
@ -92,7 +96,6 @@ server {
 	location ~* \.css$ {
 		access_log off;
 		expires 1d;
-		add_header Cache-Control "public";
 		root /path/to/jschan/static;
 		try_files $uri =404;
 	}
@ -102,7 +105,6 @@ server {
 		expires 1d;
 		access_log off;
 		root /path/to/jschan/static;
-		add_header Cache-Control "public";
 		try_files $uri =404;
 	}

@ -110,7 +112,6 @@ server {
 	location ~* \.(png|jpg|jpeg|gif|mp4|webm|mov|svg)$ {
 		access_log off;
 		expires max;
-		add_header Cache-Control "public";
 		root /path/to/jschan/static;
 		try_files $uri =404;
 	}
--- a/gulp/res/css/nscaptcha.css
+++ b/gulp/res/css/nscaptcha.css
@ -0,0 +1,11 @@
+img {
+	width:200px;
+	height:80px;
+	margin:0 auto;
+}
+input {
+	position:fixed;
+	left:-1px;
+	bottom:-1px;
+	opacity:0.9;
+}
--- a/gulp/res/css/style.css
+++ b/gulp/res/css/style.css
@ -82,6 +82,9 @@ pre {
 .text-center {
 	text-align: center;
 }
+.fw {
+	width: 100%;
+}
 .pr-20 {
 	padding-right: 20px;
 }
@ -199,6 +202,10 @@ p {
 	color: #3060A8;
 }

+.horscroll {
+	overflow-x:auto;
+}
+
 .spoiler {
 	background: black;
 	color: black;
@ -397,6 +404,7 @@ td, th {

 .user-id {
 	text-shadow: #000 0px 0px 1px, #000 0px 0px 1px, #000 0px 0px 1px, #000 0px 0px 1px, #000 0px 0px 1px, #000 0px 0px 1px;
+	background: attr(data-user-id);
 	color: white;
 	padding: 0px 2px;
 	border: 1px solid rgba(0, 0, 0, 0.4);
@ -737,7 +745,7 @@ table.boardtable th:nth-child(3),table.boardtable th:nth-child(4),table.boardtab
@media only screen and (max-width: 600px) {

 	table.boardtable td:nth-child(3), table.boardtable th:nth-child(3),
-	table.boardtable td:nth-child(5), table.boardtable th:nth-child(5) {
+	table.boardtable td:nth-child(4), table.boardtable th:nth-child(4) {
 		display: none;
 	}

--- a/gulp/res/js/post.js
+++ b/gulp/res/js/post.js
@ -58,7 +58,7 @@ pug_html = pug_html + "\u003Cspan class=\"post-capcode\"\u003E" + (pug_escape(nu
 const postDate = new Date(post.date)
 pug_html = pug_html + "\u003Ctime" + (" class=\"post-date\""+pug_attr("datetime", postDate.toISOString(), true, false)) + "\u003E" + (pug_escape(null == (pug_interp = postDate.toLocaleString(undefined, {hour12:false})) ? "" : pug_interp)) + "\u003C\u002Ftime\u003E ";
 if (post.userId) {
-pug_html = pug_html + "\u003Cspan" + (" class=\"user-id\""+pug_attr("style", pug_style(`background: #${post.userId}`), true, false)) + "\u003E" + (pug_escape(null == (pug_interp = post.userId) ? "" : pug_interp)) + "\u003C\u002Fspan\u003E ";
+pug_html = pug_html + "\u003Cspan" + (" class=\"user-id\""+pug_attr("style", pug_style(`background-color: #${post.userId}`), true, false)) + "\u003E" + (pug_escape(null == (pug_interp = post.userId) ? "" : pug_interp)) + "\u003C\u002Fspan\u003E ";
 }
 pug_html = pug_html + "\u003C\u002Flabel\u003E\u003Cspan class=\"post-links\"\u003E\u003Ca" + (" class=\"no-decoration\""+pug_attr("href", `${postURL}#${post.postId}`, true, false)) + "\u003ENo.\u003C\u002Fa\u003E\u003Cspan class=\"post-quoters\"\u003E\u003Ca" + (" class=\"no-decoration\""+pug_attr("href", `${postURL}#postform`, true, false)) + "\u003E" + (pug_escape(null == (pug_interp = post.postId) ? "" : pug_interp)) + "\u003C\u002Fa\u003E";
 if (!post.thread) {
--- a/views/includes/actionfooter.pug
+++ b/views/includes/actionfooter.pug
@ -22,7 +22,7 @@ details.toggle-label
 		label
 			input#report(type='text', name='report_reason', placeholder='report reason' autocomplete='off')
 	details.actions
-		summary(style='font-weight: bold') Staff Actions:
+		summary.bold Staff Actions:
 		label
 			input.post-check(type='checkbox', name='delete_ip_board' value='1')
 			| Delete from IP on board
--- a/views/includes/bantable.pug
+++ b/views/includes/bantable.pug
@ -1,5 +1,5 @@
-.table-container.mv-10.text-center(style='overflow-x:scroll')
-	table(style='width:100%')
+.table-container.mv-10.text-center.horscroll
+	table.fw
 		tr
 			th
 			th Board
--- a/views/includes/captcha.pug
+++ b/views/includes/captcha.pug
@ -1,4 +1,3 @@
 noscript.no-m-p
 	iframe.captcha(src='/captcha.html' 'width=200' height='80' scrolling='no')
-.jsonly.captcha(style='display:none;')
 input.captchafield(type='text' name='captcha' autocomplete='off' placeholder='captcha text' pattern=".{6}" required title='6 characters')
--- a/views/includes/head.pug
+++ b/views/includes/head.pug
@ -4,5 +4,5 @@ link(rel='stylesheet' href='/css/style.css')
 - const theme = board ? board.settings.theme : defaultTheme;
 link#theme(rel='stylesheet' data-theme=theme href=`/css/themes/${theme}.css`)
 noscript
-	style .jsonly { display: none }
+	style .jsonly { display: none; }
 link(rel='shortcut icon' href='/favicon.ico' type='image/x-icon')
--- a/views/mixins/post.pug
+++ b/views/mixins/post.pug
@ -34,7 +34,7 @@ mixin post(post, truncate, manage=false, globalmanage=false, ban=false)
 				time.post-date(datetime=postDate.toISOString()) #{postDate.toLocaleString(undefined, {hour12:false})}
 				| 
 				if post.userId
-					span.user-id(style=`background: #${post.userId}`) #{post.userId}
+					span.user-id(style=`background-color: #${post.userId}`) #{post.userId}
 					| 
 			span.post-links
 				a.no-decoration(href=`${postURL}#${post.postId}`) No.
--- a/views/pages/captcha.pug
+++ b/views/pages/captcha.pug
@ -2,7 +2,8 @@ doctype html
 html
 	head
 		link(rel='stylesheet', href='/css/style.css')
-	body(style='margin:0;padding:0;')
-		img(src='/captcha', style='width:200px;height:80px;margin:0 auto;')
+		link(rel='stylesheet', href='/css/nscaptcha.css')
+	body.no-m-p
+		img(src='/captcha')
 		form(action='/forms/newcaptcha', method='POST')
-			input(style='position:fixed;left:-1px;bottom:-1px;opacity:0.9;' type='submit' value='🗘')
+			input(type='submit' value='🗘')