Update Content-Security-Policy and security headers in antibot, loading and default server page

src/common/confs/default-server-http.conf

@@ -74,7 +74,7 @@ server {
 						.. nonce_script
 						.. "'; style-src 'nonce-"
 						.. nonce_style
-						.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script';"
+						.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script'; block-all-mixed-content; upgrade-insecure-requests;"
 
 				-- Remove server header
 				ngx.header["Server"] = nil
@@ -84,6 +84,12 @@ server {
 					ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
 				end
 
+				-- Override X-Content-Type-Options header
+				ngx.header["X-Content-Type-Options"] = "nosniff"
+
+				-- Override Referrer-Policy header
+				ngx.header["Referrer-Policy"] = "no-referrer"
+
 				-- Render template
 				render("index.html", {
 					nonce_style = nonce_style,

src/common/core/antibot/antibot.lua

@@ -90,6 +90,7 @@ function antibot:header()
 	for directive, value in pairs(csp_directives) do
 		csp_content = csp_content .. directive .. " " .. value .. "; "
 	end
+	csp_content = csp_content .. "block-all-mixed-content; upgrade-insecure-requests;"
 	ngx.header["Content-Security-Policy"] = csp_content
 	return self:ret(true, "successfully overridden CSP header")
 end

src/common/core/errors/errors.lua

@@ -96,7 +96,7 @@ function errors:render_template(code)
 		.. "'; style-src 'nonce-"
 		.. nonce_style
 		--luacheck: ignore 631
-		.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script';"
+		.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script'; block-all-mixed-content; upgrade-insecure-requests;"
 
 	-- Remove server header
 	ngx.header["Server"] = nil
@@ -114,6 +114,12 @@ function errors:render_template(code)
 		ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
 	end
 
+	-- Override X-Content-Type-Options header
+	ngx.header["X-Content-Type-Options"] = "nosniff"
+
+	-- Override Referrer-Policy header
+	ngx.header["Referrer-Policy"] = "no-referrer"
+
 	-- Render template
 	render("error.html", {
 		title = code .. " - " .. self.default_errors[code].title,

src/common/core/misc/confs/default-server-http/page.conf

@@ -22,7 +22,7 @@ location / {
 			-- Override CSP header
 			ngx.header["Content-Security-Policy"] = "default-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data:; style-src 'self' 'nonce-"
 				.. nonce_style
-				.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script';"
+				.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script'; block-all-mixed-content; upgrade-insecure-requests;"
 
 			-- Remove server header
 			ngx.header["Server"] = nil
@@ -32,6 +32,12 @@ location / {
 				ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
 			end
 
+			-- Override X-Content-Type-Options header
+			ngx.header["X-Content-Type-Options"] = "nosniff"
+
+			-- Override Referrer-Policy header
+			ngx.header["Referrer-Policy"] = "no-referrer"
+
 			-- Render template
 			render("default.html", {
 				nonce_style = nonce_style,