joinmarket-webui · Abhijay007 · Apr 30, 2025
diff --git a/standalone/nginx/default.conf b/standalone/nginx/default.conf
@@ -1,4 +1,3 @@
-
 upstream jmwalletd_api_backend {
     zone upstreams 256K;
     server 127.0.0.1:28183;
@@ -33,6 +32,15 @@ server {
     auth_basic off;
     auth_basic_user_file /etc/nginx/.htpasswd;
 
+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+
     gzip on;
     gzip_types application/javascript application/json text/css text/plain image/svg+xml;
 

diff --git a/ui-only/nginx/templates/default.conf.template b/ui-only/nginx/templates/default.conf.template
@@ -1,4 +1,3 @@
-
 upstream jmwalletd_api_backend {
     zone upstreams 64K;
     server $JAM_JMWALLETD_API_PROXY;
@@ -30,6 +29,15 @@ server {
     access_log /var/log/nginx/access_jam.log;
     error_log /var/log/nginx/error_jam.log;
 
+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+
     gzip on;
     gzip_types application/javascript application/json text/css image/svg+xml;