cleanup for readability, set basic CSP

Author: philcryer

globals/secure.conf

@@ -1,35 +1,33 @@
 #### nginx-globals - https://github.com/philcryer/nginx-globals
 
 #### Security headers configured to protect against XSS and other web threats
-#### Guided by Voices, I mean Securityheaders.com https://securityheaders.com/ - Thanks!
-add_header                      Cache-Control "public";
-add_header                      X-Frame-Options "DENY";
-add_header                      X-Frame-Options "SAMEORIGIN";
-add_header                      X-XSS-Protection "1; mode=block";
-add_header                      X-Content-Type-Options "nosniff";
-add_header                      Content-Type "text/html; charset=UTF-8";
-add_header                      X-Permitted-Cross-Domain-Policies "master-only";
+#### these options setup with Securityheaders help. Thanks! https://securityheaders.com/
+add_header              Cache-Control "public";
+add_header              X-Frame-Options "DENY";
+add_header              X-Frame-Options "SAMEORIGIN";
+add_header              X-XSS-Protection "1; mode=block";
+add_header              X-Content-Type-Options "nosniff";
+add_header              Content-Type "text/html; charset=UTF-8";
+add_header              X-Permitted-Cross-Domain-Policies "master-only";
 
 
 #### Drop the Server: header
 #### install nginx-extras (debian, ubuntu) to add the more set headers module
-#more_clear_headers 'Server:*';
+#more_clear_headers     'Server:*';
 #### Bonus, reset the Server: header to whatever you want to mess with people
-#more_set_headers 'Server: fak3r.com';
+#more_set_headers       'Server: tehgoogle.com';
 # or
-#more_set_headers 'Server: IIS 4.0 (Windows NT 4.0)';
+#more_set_headers       'Server: IIS 4.0 (Windows NT 4.0)';
 
 
 #### Content Security Policy
 #### http://tautt.com/best-nginx-configuration-for-security/
-#+ add_header Content-Security-Policy
-
-#add_header Content-Security-Policy "default-src https: connect-src https: font-src https: data: frame-src https: img-src https: data: media-src https:  object-src https: script-src 'unsafe-inline' 'unsafe-eval' https: style-src 'unsafe-inline' https:";
-
-#more specific...
-        	#add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; connect-src 'self' https://fonts.googleapis.com; object-src 'none' "; 
-#add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; object-src 'none' ";
-#add_header Content-Security-Policy "style-src https://cdnjs.cloudflare.com; ";
-#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://cdnjs.cloudflare.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; 
-#add_header Content-Security-Policy "style-src 'https://cdnjs.cloudflare.com'; default-src 'self'; object-src 'none'";
-#add_header Content-Security-Policy "default-src 'self'"; 
+add_header              Content-Security-Policy
+add_header              Content-Security-Policy "default-src 'self'"; 
+#### these can get very specific, options below. To really lock things down will take some time to get right
+#add_header             Content-Security-Policy "default-src https: connect-src https: font-src https: data: frame-src https: img-src https: data: media-src https:  object-src https: script-src 'unsafe-inline' 'unsafe-eval' https: style-src 'unsafe-inline' https:";
+#add_header             Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; connect-src 'self' https://fonts.googleapis.com; object-src 'none' "; 
+#add_header             Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src 'self'; connect-src 'self' https://apis.google.com; object-src 'none' ";
+#add_header             Content-Security-Policy "style-src https://cdnjs.cloudflare.com; ";
+#add_header             Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://cdnjs.cloudflare.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; 
+#add_header             Content-Security-Policy "style-src 'https://cdnjs.cloudflare.com'; default-src 'self'; object-src 'none'";