Release v0.6 (#33)

* Smaller ssl labs picture

* Tuning headers after test report by securityheaders.com

Author: Håkan Ströberg

README.md

@@ -26,7 +26,7 @@ Create and automatically renew website SSL certificates using the free [Let's En
 
 This rating is returned for both domains and sub domains.
 
-![SSL Labs rating](assets/ssl-labs.png)
+![SSL Labs rating](assets/ssl-labs-w800.png)
 
 ## Table of contents <!-- omit in toc -->
 
@@ -272,8 +272,11 @@ docker-compose -f docker-compose.dry-run.yml up
 Some configurations are provided by the image. Those files are located in the `nginx_conf.d/secure.d` folder.
 
 - `header.conf`  
-  This file contains header properties to handle and trying to prevent hacker attacks.
-  More about headers [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/)
+  This file contains header properties to fine tune the browser security and availability behaviour. Test the settings on [Security Headers](https://securityheaders.com/).
+
+  More about headers on site [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/), or use the links provided inside `header.conf` file.
+
+  > :fire: It's highly likely that these properties needs to be changed depending on your, or the hosted sites needs.
 
 - `location.conf`  
   This file is not used by default by the image but is available for [reverse proxy location blocks](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).

assets/ssl-labs-w800.png

@@ -1,9 +1,20 @@
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# Change headers to your needs since they will affect the behaviour and access to your sites.
 
-add_header Strict-Transport-Security  "max-age=31536000; includeSubdomains";
+add_header Content-Security-Policy    "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
+add_header Permissions-Policy         "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
+add_header Referrer-Policy            strict-origin-when-cross-origin;
+add_header Strict-Transport-Security  "max-age=31536000; includeSubdomains; preload";
 add_header X-Frame-Options            SAMEORIGIN;
 add_header X-Content-Type-Options     nosniff;
 add_header X-XSS-Protection           "1; mode=block";
+
+### Reference guides ###
+
+# https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
+# https://geekflare.com/http-header-implementation/
+# https://content-security-policy.com/examples/nginx/
+# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection