How to pass mozilla observer validation?

M

Michael2021-11-22 21:00:55

Nginx

Michael, 2021-11-22 21:00:55

https://observatory.mozilla.org/

Strange tag output

X-Content-Type-Options
X-Frame-Options
X-XSS-Protection

They are in the site config.

add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Content-Security-Policy "default-src 'self';";

issuing curl

curl -I https://sitename.ru
server: nginx
date: Mon, 22 Nov 2021 17:51:04 GMT
content-type: text/html; charset=utf-8
set-cookie: CMSSESSIDd20b285e97a8=0t5knknkun36r2i4nionqf8gdj; path=/; domain=sitename.ru; secure; HttpOnly; SameSite=Strict
cache-control: public, max-age=10800
expires: Tue, 23 Nov 2021 17:51:02 GMT
last-modified: Mon, 15 Nov 2021 23:06:00 GMT
x-fastcgi-cache: HIT

But if you request a specific file from this site, then all X-tags are issued, where is my cant?

curl -I https://sitename.ru/file.jpg
HTTP/2 200
server: nginx
date: Mon, 22 Nov 2021 17:57:46 GMT
content-type: image/jpeg
content-length: 82433
last-modified: Fri, 29 Jan 2021 21:32:16 GMT
etag: "60147ee0-14201"
expires: Thu, 31 Dec 2037 23:55:55 GMT
cache-control: max-age=315360000
content-security-policy: default-src 'self'; font-src *;img-src * data:; script-src *; style-src *
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=63072000
accept-ranges: bytes

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Karabanov, 2021-11-22
@happy-cat

If add_header directives are specified at the http level and add_header directives are specified at the server level, then the server-level c directives will be used. The same thing happens at large nesting levels.
Directives are not glued together - inheritance is canceled simply by the presence of the corresponding directive in the nested block.
Approximately all directives in nginx work according to the same simple scheme: if the directive is set at the current level, then it is not inherited, if it is not set, then it is inherited. Exceptions are separate directives that are not inherited at all.
̶I̶z̶ ̶p̶r̶e̶d̶s̶t̶a̶v̶l̶e̶n̶n̶o̶g̶o̶ ̶k̶u̶s̶o̶ch̶k̶a̶ ̶k̶o̶n̶f̶i̶g̶a̶ ̶n̶e̶ ̶o̶ch̶e̶v̶i̶d̶n̶o̶, ̶ ̶ch̶t̶o̶ ̶d̶o̶l̶zh̶n̶o̶ ̶p̶r̶o̶i̶s̶h̶o̶d̶i̶t̶̶ ̶d̶a̶l̶̶sh̶e̶.̶ ̶P̶r̶e̶d̶l̶a̶g̶a̶yu̶ ̶p̶r̶o̶d̶u̶b̶l̶i̶r̶o̶v̶a̶t̶̶ ̶d̶i̶r̶e̶k̶t̶i̶v̶y̶ ̶a̶d̶d̶_̶h̶e̶a̶d̶e̶r̶ ̶v̶ ̶i̶n̶t̶e̶r̶e̶s̶u̶yu̶sch̶e̶m̶ ̶t̶e̶b̶ya̶ ̶l̶o̶c̶a̶t̶i̶o̶n̶ ̶i̶l̶i̶ ̶p̶e̶r̶e̶p̶i̶s̶a̶t̶̶ ̶k̶o̶n̶f̶i̶g̶ ̶t̶a̶k̶, ̶ ̶ch̶t̶o̶b̶y̶ ̶n̶a̶s̶l̶e̶d̶o̶v̶a̶n̶i̶e̶ ̶z̶a̶r̶a̶b̶o̶t̶a̶l̶o̶.̶
UPD
Since you brought a full configuration can be seen that the directive to be canceled at server level location @php level due to the presence of the same add_header directive. Duplicate the add_header directives you are interested in in this location