From e088698bec2e23373091d3cc5feca4c2ff9f82aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Szekeres=20Ba=CC=81lint?= <szekeres.balint@hps.hu>
Date: Fri, 23 Feb 2018 01:40:17 +0100
Subject: [PATCH] Referrer-Policy, Content-Security-Policy

---
 README.md                                |   5 ++
 public/assets/js/app.js                  |   9 +-
 public/index.html                        | 105 +++++++++++++++--------
 public/templates/conf/_general.conf.html |   4 +
 4 files changed, 85 insertions(+), 38 deletions(-)

diff --git a/README.md b/README.md
index 6b6231c..abe0f7e 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,11 @@ Online nginx configuration generator.
 	* …
 * unified (`nginx.conf`) / modularized file structure (ideal for multi-domain environment)
 * security headers
+	* `X-Frame-Options`
+	* `X-XSS-Protection`
+	* `X-Content-Type-Options`
+	* `Referrer-Policy`
+	* `Content-Security-Policy`
 * `worker_processes`
 * `user`
 * `pid`
diff --git a/public/assets/js/app.js b/public/assets/js/app.js
index 9692d50..2669acc 100644
--- a/public/assets/js/app.js
+++ b/public/assets/js/app.js
@@ -58,6 +58,9 @@
 
 			file_structure:		'unified',
 
+			referrer_policy:			'no-referrer-when-downgrade',
+			content_security_policy:	'default-src * \'unsafe-eval\' \'unsafe-inline\'',
+
 			worker_processes:	'auto',
 			user:				'www-data',
 			pid:				'/run/nginx.pid',
@@ -270,8 +273,12 @@
 			return $scope.isPHP() && $scope.data.wordpress;
 		};
 
+		$scope.isCSP = function() {
+			return !!$scope.data.content_security_policy;
+		};
+
 		$scope.isAccessLog = function() {
-			return $scope.data.access_log;
+			return !!$scope.data.access_log;
 		};
 
 		$scope.isGzip = function() {
diff --git a/public/index.html b/public/index.html
index 4de2e35..7156bb8 100644
--- a/public/index.html
+++ b/public/index.html
@@ -125,58 +125,89 @@
 										</div>
 									</div>
 								</div>
-								<div class="form-check">
+							</div>
+						</div>
+						<div class="card">
+							<div class="card-body">
+								<div class="form-check mb-2">
 									<input class="form-check-input" type="checkbox" id="index_html" ng-model="data.index_html">
 									<label class="form-check-label" for="index_html">
 										<span tooltips tooltip-template="Pass unhandled requests to index.html.<br><br><i>Angular, React, Vue.js, Ember.js</i>...">index.html <small>handler</small></span>
 									</label>
 								</div>
+								<div class="form-group">
+									<div class="input-group" tooltips tooltip-template="PHP-FPM via TCP or unix socket.">
+										<div class="input-group-prepend">
+											<div class="input-group-text">PHP</div>
+										</div>
+										<select class="form-control" ng-model="data.php">
+											<option value="off">disabled</option>
+											<option value="tcp">TCP</option>
+											<option value="5.x">5.x socket</option>
+											<option value="7.0">7.0 socket</option>
+											<option value="7.1">7.1 socket</option>
+											<option value="7.2">7.2 socket</option>
+											<option value="7.3">7.3 socket</option>
+										</select>
+									</div>
+								</div>
+								<div class="form-subgroup" ng-if="isPHP()">
+									<div class="form-check">
+										<input class="form-check-input" type="checkbox" id="index_php" ng-model="data.index_php">
+										<label class="form-check-label" for="index_php">
+											<span tooltips tooltip-template="Pass unhandled requests to index.php.<br><br><i>Laravel, Lumen, Symfony, Zend, CodeIgniter, Yii, CakePHP, Slim...</i>">index.php <small>handler</small></span>
+										</label>
+									</div>
+								</div>
+								<div class="form-subgroup" ng-if="isPHP()">
+									<div class="form-check">
+										<input class="form-check-input" type="checkbox" id="wordpress" ng-model="data.wordpress">
+										<label class="form-check-label" for="wordpress">
+											<span tooltips tooltip-template="WordPress security rules and login limiting <i>(if enabled)</i>.">WordPress</span>
+										</label>
+									</div>
+								</div>
 							</div>
 						</div>
 						<div class="card">
 							<div class="card-body">
-								<div class="form-group">
-									<label class="form-label">
-										<span tooltips tooltip-template="PHP-FPM via TCP or unix socket.">PHP</span>
-									</label>
-									<select class="form-control" ng-model="data.php">
-										<option value="off">disabled</option>
-										<option value="tcp">TCP</option>
-										<option value="5.x">5.x socket</option>
-										<option value="7.0">7.0 socket</option>
-										<option value="7.1">7.1 socket</option>
-										<option value="7.2">7.2 socket</option>
-										<option value="7.3">7.3 socket</option>
-									</select>
-								</div>
-								<div class="form-check" ng-if="isPHP()">
-									<input class="form-check-input" type="checkbox" id="index_php" ng-model="data.index_php">
-									<label class="form-check-label" for="index_php">
-										<span tooltips tooltip-template="Pass unhandled requests to index.php.<br><br><i>Laravel, Lumen, Symfony, Zend, CodeIgniter, Yii, CakePHP, Slim...</i>">index.php <small>handler</small></span>
-									</label>
+								<label class="form-label">File structure</label>
+								<div class="form-subgroup">
+									<div class="form-check">
+										<input class="form-check-input" type="radio" id="unified" ng-model="data.file_structure" value="unified">
+										<label class="form-check-label" for="unified">
+											<span tooltips tooltip-template="Combine configuration to a single file.<br><br><i>(if possible)</i>">unified</span>
+										</label>
+									</div>
 								</div>
-								<div class="form-check" ng-if="isPHP()">
-									<input class="form-check-input" type="checkbox" id="wordpress" ng-model="data.wordpress">
-									<label class="form-check-label" for="wordpress">
-										<span tooltips tooltip-template="WordPress security rules and login limiting <i>(if enabled)</i>.">WordPress</span>
-									</label>
+								<div class="form-subgroup">
+									<div class="form-check">
+										<input class="form-check-input" type="radio" id="modularized" ng-model="data.file_structure" value="modularized">
+										<label class="form-check-label" for="modularized">
+											<span tooltips tooltip-template="Multiple configuration files<br><br><i>(ideal for multi-domain environment)</i>">modularized</span>
+										</label>
+									</div>
 								</div>
 							</div>
 						</div>
 						<div class="card">
 							<div class="card-body">
-								<label class="form-label">File structure</label>
-								<div class="form-check">
-									<input class="form-check-input" type="radio" id="unified" ng-model="data.file_structure" value="unified">
-									<label class="form-check-label" for="unified">
-										<span tooltips tooltip-template="Combine configuration to a single file.<br><br><i>(if possible)</i>">unified</span>
-									</label>
+								<div class="form-group">
+									<label class="form-label"><code tooltips tooltip-template="Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.">Referrer-Policy</code></label>
+									<select class="form-control form-control-sm" ng-model="data.referrer_policy">
+										<option value="no-referrer">no-referrer</option>
+										<option value="no-referrer-when-downgrade">no-referrer-when-downgrade</option>
+										<option value="origin">origin</option>
+										<option value="origin-when-cross-origin">origin-when-cross-origin</option>
+										<option value="same-origin">same-origin</option>
+										<option value="strict-origin">strict-origin</option>
+										<option value="strict-origin-when-cross-origin">strict-origin-when-cross-origin</option>
+										<option value="unsafe-url">unsafe-url</option>
+									</select>
 								</div>
-								<div class="form-check">
-									<input class="form-check-input" type="radio" id="modularized" ng-model="data.file_structure" value="modularized">
-									<label class="form-check-label" for="modularized">
-										<span tooltips tooltip-template="Multiple configuration files<br><br><i>(ideal for multi-domain environment)</i>">modularized</span>
-									</label>
+								<div class="form-group">
+									<label class="form-label"><code tooltips tooltip-template="Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.">Content-Security-Policy</code></label>
+									<input type="text" class="form-control form-control-sm" ng-model="data.content_security_policy">
 								</div>
 							</div>
 						</div>
@@ -184,7 +215,7 @@
 							<div class="card-body">
 								<div class="form-group">
 									<label class="form-label"><code tooltips tooltip-template="Sets the maximum number of simultaneous connections that can be opened by a worker process.">worker_processes</code></label>
-									<select class="form-control" ng-model="data.worker_processes">
+									<select class="form-control form-control-sm" ng-model="data.worker_processes">
 										<option value="auto">auto</option>
 										<option value="1">1</option>
 										<option value="2">2</option>
diff --git a/public/templates/conf/_general.conf.html b/public/templates/conf/_general.conf.html
index b3c45b4..e831847 100644
--- a/public/templates/conf/_general.conf.html
+++ b/public/templates/conf/_general.conf.html
@@ -3,6 +3,10 @@ add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header X-UA-Compatible "IE=Edge" always;
+add_header Referrer-Policy "{{ data.referrer_policy }}" always;<!--
+
+✔ CSP--><span ng-if="isCSP()">
+add_header Content-Security-Policy "{{ data.content_security_policy }}" always;</span>
 
 # . files
 location ~ /\. {