Fix chat

modules/nixos/server/nginx.nix

@@ -53,16 +53,16 @@ in with lib; {
         # add_header Strict-Transport-Security $hsts_header;
 
         # Enable CSP for your services.
-        add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+        # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
 
         # Minimize information leaked to other domains
-        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+        # add_header 'Referrer-Policy' 'origin-when-cross-origin';
 
         # Disable embedding as a frame
         add_header X-Frame-Options DENY;
 
         # Prevent injection of code in other mime types (XSS Attacks)
-        add_header X-Content-Type-Options nosniff;
+        # add_header X-Content-Type-Options nosniff;
 
         # This might create errors
         # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
@@ -72,6 +72,14 @@ in with lib; {
 
         # This is necessary to pass the correct IP to be hashed
         real_ip_header X-Real-IP;
+
+        # security
+        add_header X-XSS-Protection          "1; mode=block" always;
+        add_header X-Content-Type-Options    "nosniff" always;
+        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+        add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+        add_header Permissions-Policy        "interest-cohort=()" always;
+        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
       '';
 
       virtualHosts = let