nginx: add security headers, rate limiting, and request size limit #33
Description
Current nginx config lacks recommended security headers, rate limiting, and request size limits.
Action required:
- Add rate limiting (see incident report)
- Add security headers such as:
Content-Security-Policy(CSP)X-Frame-Options: DENYX-XSS-Protection: 1; mode=blockReferrer-Policy: no-referrer
- Add request body size limits to block overlarge POST requests
Sample nginx config snippet:
# Rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
client_max_body_size 1M;
}
add_header Content-Security-Policy "default-src 'self'" always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy no-referrer always;
# ...other server blocks
}Labels: bug, security, critical
CYBERSEC UPGRADES milestone recommended.