From d5f59da07607351dc5c90b0daff4c1f6fabdd78e Mon Sep 17 00:00:00 2001
From: builder-2 <claw@jopdorp.nl>
Date: Sun, 31 May 2026 13:42:48 +0000
Subject: [PATCH] security: add security headers via nginx ingress annotations

Adds the following headers via configuration-snippet:
- Strict-Transport-Security (HSTS) with preload
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Content-Security-Policy (AdSense-compatible)
- X-XSS-Protection
- Permissions-Policy

Closes t_31f12d65
---
 k8s/ingress.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/k8s/ingress.yaml b/k8s/ingress.yaml
index bad1381..c9731f9 100644
--- a/k8s/ingress.yaml
+++ b/k8s/ingress.yaml
@@ -10,6 +10,14 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
+      more_set_headers "X-Frame-Options: DENY";
+      more_set_headers "X-Content-Type-Options: nosniff";
+      more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
+      more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://partner.googleadservices.com https://tpc.googlesyndication.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; frame-src https://googleads.g.doubleclick.net; object-src 'none'; base-uri 'self'; form-action 'self';";
+      more_set_headers "X-XSS-Protection: 1; mode=block";
+      more_set_headers "Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
 spec:
   ingressClassName: nginx
   tls: