From a2929be104fd3ed2a5b1b4dcda6727a7fb4d6312 Mon Sep 17 00:00:00 2001
From: dallaslu <dallaslu@noreply.forge.st>
Date: Fri, 5 Jun 2026 14:04:17 +0800
Subject: [PATCH] update

---
 README.md                       |  7 ++++++-
 fastcgi/hide-powered-by.conf    |  1 +
 proxy_pass/hide-powered-by.conf |  1 +
 scripts/validate-docker.ps1     | 27 +++++++++++++++++++++++++++
 security-legacy.conf            |  2 ++
 security.conf                   | 15 ++++++---------
 6 files changed, 43 insertions(+), 10 deletions(-)
 create mode 100644 fastcgi/hide-powered-by.conf
 create mode 100644 proxy_pass/hide-powered-by.conf
 create mode 100644 security-legacy.conf

diff --git a/README.md b/README.md
index e81ed89..743a243 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ systemctl reload nginx
 This repository is organized by nginx context:
 
 - `http/`: snippets that must be included inside `http {}`.
+- `fastcgi/`: FastCGI-specific snippets for `location {}` or `server {}` blocks.
 - `ssl/`: HTTPS and TLS snippets for `server {}` blocks.
 - `proxy_pass/`: reverse proxy snippets for `location {}` blocks.
 - `redirect/`: host and canonical URL redirects for `server {}` blocks.
@@ -132,13 +133,16 @@ server {
 
 - `kit/http/gzip.conf`: gzip compression for common text-based responses. Must be included inside `http {}`.
 - `kit/http/websocket-map.conf`: defines `$connection_upgrade` for websocket proxying. Must be included inside `http {}`.
-- `kit/security.conf`: common security headers and host normalization. Intended for `server {}`.
+- `kit/security.conf`: common low-risk security headers and host normalization. Intended for `server {}`.
+- `kit/security-legacy.conf`: optional legacy compatibility headers such as `X-Download-Options` and `X-Permitted-Cross-Domain-Policies`.
+- `kit/fastcgi/hide-powered-by.conf`: hides `X-Powered-By` from FastCGI upstream responses.
 - `kit/ssl/security.conf`: TLS protocol and session resumption settings. Intended for `server {}`.
 - `kit/ssl/hsts.conf`: HSTS header for HTTPS responses. Intended for `server {}`.
 - `kit/ssl/hsts-preload.conf`: HSTS variant with `preload`. Use only if the whole domain tree is preload-safe.
 - `kit/ssl/force.conf`: redirects HTTP requests to HTTPS. Intended for `server {}`.
 - `kit/redirect/to-primary-domain.conf`: redirects aliases to the primary `server_name`. Intended for `server {}`.
 - `kit/proxy_pass/forwarded.conf`: standard reverse proxy headers. Intended for `location {}`.
+- `kit/proxy_pass/hide-powered-by.conf`: hides `X-Powered-By` from proxied upstream responses.
 - `kit/proxy_pass/websocket.conf`: websocket upgrade headers. Requires `kit/http/websocket-map.conf`.
 - `kit/proxy_pass/timeout-300.conf`: longer proxy timeouts. Intended for `location {}`.
 
@@ -160,3 +164,4 @@ The script validates:
 - `gzip_proxied` does not remove `ETag` or `Last-Modified` headers. It only controls when nginx may gzip requests that arrived through another proxy.
 - `text/html` does not need to appear in `gzip_types`; nginx compresses it automatically.
 - Gzip over HTTPS can contribute to BREACH-style risk for responses that reflect attacker-controlled input alongside secrets. Keep that in mind for highly sensitive dynamic pages.
+- `kit/security.conf` intentionally does not set `X-Robots-Tag: none` or `X-XSS-Protection: 1; mode=block`; those are too risky or too obsolete for a default site-wide baseline.
diff --git a/fastcgi/hide-powered-by.conf b/fastcgi/hide-powered-by.conf
new file mode 100644
index 0000000..9b9928a
--- /dev/null
+++ b/fastcgi/hide-powered-by.conf
@@ -0,0 +1 @@
+fastcgi_hide_header X-Powered-By;
diff --git a/proxy_pass/hide-powered-by.conf b/proxy_pass/hide-powered-by.conf
new file mode 100644
index 0000000..4099e9b
--- /dev/null
+++ b/proxy_pass/hide-powered-by.conf
@@ -0,0 +1 @@
+proxy_hide_header X-Powered-By;
diff --git a/scripts/validate-docker.ps1 b/scripts/validate-docker.ps1
index 2b11e8d..8276844 100644
--- a/scripts/validate-docker.ps1
+++ b/scripts/validate-docker.ps1
@@ -22,6 +22,30 @@ $serverSnippetConfig = @(
 
 $serverSnippetConfigShell = $serverSnippetConfig -replace "`n", "\\n"
 
+$optionalSnippetConfig = @(
+	"events {}"
+	""
+	"http {"
+	"	include /etc/nginx/mime.types;"
+	"	default_type application/octet-stream;"
+	""
+	"	server {"
+	"		listen 8080;"
+	"		include /etc/nginx/kit/security-legacy.conf;"
+	""
+	"		location /fastcgi {"
+	"			include /etc/nginx/kit/fastcgi/hide-powered-by.conf;"
+	"		}"
+	""
+	"		location /proxy {"
+	"			include /etc/nginx/kit/proxy_pass/hide-powered-by.conf;"
+	"		}"
+	"	}"
+	"}"
+) -join "\n"
+
+$optionalSnippetConfigShell = $optionalSnippetConfig -replace "`n", "\\n"
+
 $containerCommand = @(
 	"set -eu"
 	"apk add --no-cache openssl >/dev/null"
@@ -35,10 +59,13 @@ $containerCommand = @(
 	"ln -s /etc/nginx/kit /tmp/nginx-kit/examples/kit"
 	"cp /etc/nginx/kit/examples/reverse-proxy.nginx.conf /tmp/nginx-kit/examples/reverse-proxy.nginx.conf"
 	"printf '%b' '$serverSnippetConfigShell' > /tmp/nginx-kit/server-snippet.nginx.conf"
+	"printf '%b' '$optionalSnippetConfigShell' > /tmp/nginx-kit/optional-snippets.nginx.conf"
 	"echo 'Validating examples/example.com.conf'"
 	"nginx -t -c /tmp/nginx-kit/server-snippet.nginx.conf"
 	"echo 'Validating examples/reverse-proxy.nginx.conf'"
 	"nginx -t -c /tmp/nginx-kit/examples/reverse-proxy.nginx.conf"
+	"echo 'Validating optional security and hide-powered-by snippets'"
+	"nginx -t -c /tmp/nginx-kit/optional-snippets.nginx.conf"
 ) -join "; "
 
 docker run --rm `
diff --git a/security-legacy.conf b/security-legacy.conf
new file mode 100644
index 0000000..6802367
--- /dev/null
+++ b/security-legacy.conf
@@ -0,0 +1,2 @@
+add_header	X-Download-Options	noopen always;
+add_header	X-Permitted-Cross-Domain-Policies	none always;
diff --git a/security.conf b/security.conf
index 9a3be44..be90535 100644
--- a/security.conf
+++ b/security.conf
@@ -1,15 +1,12 @@
-server_tokens off;
 ## Don't show the nginx version number, a security best practice
-  
-add_header	Referrer-Policy	origin-when-cross-origin always;
-add_header	X-Frame-Options	SAMEORIGIN;
-add_header	X-Content-Type-Options	nosniff;
-#add_header	X-XSS-Protection "1; mode=block" always;
-add_header	X-XSS-Protection "0";
+server_tokens off;
 
-#more_clear_headers	'X-Powered-By';
+add_header	Referrer-Policy	strict-origin-when-cross-origin always;
+add_header	X-Frame-Options	SAMEORIGIN always;
+add_header	X-Content-Type-Options	nosniff always;
+add_header	X-XSS-Protection	"0" always;
 
 # Redirect `example.com.` to `example.com`
 if ($http_host ~ "\.$" ){
     rewrite ^(.*) $scheme://$host$1 permanent;
-}
\ No newline at end of file
+}