From c72d9f7720e9dc96cb7673292e2bb8882d49bbc9 Mon Sep 17 00:00:00 2001
From: agastya gaur <agastyagaur17@gmail.com>
Date: Thu, 5 Dec 2024 19:29:41 +0530
Subject: [PATCH 1/2]  add ngnix security

---
 nginx-default.conf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nginx-default.conf b/nginx-default.conf
index 3d67dc68..595d912c 100644
--- a/nginx-default.conf
+++ b/nginx-default.conf
@@ -5,5 +5,17 @@ server {
         root /usr/share/nginx/html;
         index index.html index.htm;
         try_files $uri /index.html;
+
+        # Add security headers
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Referrer-Policy no-referrer-when-downgrade;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' *.hasadna.org.il;";
+
+        # CORS settings
+        add_header Access-Control-Allow-Origin "self https://www.google-analytics.com https://www.googletagmanager.com https://fonts.gstatic.com https://fonts.googleapis.com *.hasadna.org.il";
+        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";
     }
 }

From f545c9cc6119c3ac4211a49c5a8b039d0e390cd4 Mon Sep 17 00:00:00 2001
From: agastya gaur <agastyagaur17@gmail.com>
Date: Tue, 10 Dec 2024 19:09:55 +0530
Subject: [PATCH 2/2] refactor: remove CORS settings from nginx configuration
 for improved security

---
 nginx-default.conf | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/nginx-default.conf b/nginx-default.conf
index 595d912c..ae1f3589 100644
--- a/nginx-default.conf
+++ b/nginx-default.conf
@@ -13,9 +13,5 @@ server {
         add_header Referrer-Policy no-referrer-when-downgrade;
         add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' *.hasadna.org.il;";
 
-        # CORS settings
-        add_header Access-Control-Allow-Origin "self https://www.google-analytics.com https://www.googletagmanager.com https://fonts.gstatic.com https://fonts.googleapis.com *.hasadna.org.il";
-        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
-        add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";
     }
 }