Improve headers for security

[TommyTran732]

I added Permissions-Policy and Content-Security-Policy. I have tested these with the admin panel and FIDO2. XSS filtering should be set to 0 as it could cause issues by itself according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection.

HSTS should be preloaded and ~~include subdomains~~. I don't see a reason not to.

[mkuron]

We had previously decided to not do HSTS for subdomains because it would affect services on your domain other than Mailcow. I think that still holds, especially since it's near impossible to turn off HSTS later.

[TommyTran732]

Mkay I removed the includeSubdomains part.

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[TommyTran732]

Please do not mark it as stale.

[DerLinkman]

How does reverse Proxies behave on that?

[TommyTran732]

How does reverse Proxies behave on that?

I don't understand the question 0.0

[DerLinkman]

How does reverse Proxies behave on that?

I don't understand the question 0.0

No problem. Will Reverse Proxies still work with that changes? As these are changed directly at the root webserver.

I´m not that fit with those security headers that´s why i ask + to ensure the functionality with reverse proxies.

[TommyTran732]

No problem. Will Reverse Proxies still work with that changes? As these are changed directly at the root webserver.

It works fine with Mailcow on the stable branch. I have not tested with SOGo yet, as I do not use it. I am using it on my own server as you can see here: https://mail.tommytran.io

[TommyTran732]

It should work with the bootstrap theme now

[TommyTran732]

@DerLinkman These changes work fine with SOGo, I have tested them. They probably won't work with stuff like Gitea etc that you have in the docs. Maybe we can move them down to the location blocks to make it work. The other approach (and IMO the better approach) is to leave it like this and give instructions to overwrite the headers set at the root inside of the location blocks for those reverse proxies.

I have my CSP policy for Gitea listed here https://github.com/tommytran732/Gitea-Docker-Compose/blob/main/swag/nginx/ssl.conf#L32... I am not sure about the other stuff. Someone gotta make the CSP policies for them.

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[TommyTran732]

Do not close. It is not stale.

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[TommyTran732]

Do not close.

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[TommyTran732]

Do not close.

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[TommyTran732]

Do not close

[milkmaker]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[TommyTran732]

Do not close