From 58f6b20625aa2eedc604c141e7290e91a746d6d4 Mon Sep 17 00:00:00 2001 From: Aditya Prima Date: Mon, 22 Jul 2024 18:52:48 +0700 Subject: [PATCH] Initial Commit --- .gitea/workflows/alpine-dockerio.yaml | 60 ++++++++++++++++++ .gitea/workflows/alpine-winter.yaml | 56 +++++++++++++++++ Dockerfile.alpine | 29 +++++++++ Dockerfile.alpine-rootless | 38 +++++++++++ app/index.html | 29 +++++++++ etc/nginx/conf.d/default.conf | 16 +++++ etc/nginx/naxsi_core.rules | 91 +++++++++++++++++++++++++++ etc/nginx/nginx-rootless.conf | 69 ++++++++++++++++++++ etc/nginx/nginx.conf | 71 +++++++++++++++++++++ etc/nginx/proxy_params | 4 ++ etc/nginx/ssl_params | 22 +++++++ 11 files changed, 485 insertions(+) create mode 100644 .gitea/workflows/alpine-dockerio.yaml create mode 100644 .gitea/workflows/alpine-winter.yaml create mode 100644 Dockerfile.alpine create mode 100644 Dockerfile.alpine-rootless create mode 100644 app/index.html create mode 100644 etc/nginx/conf.d/default.conf create mode 100644 etc/nginx/naxsi_core.rules create mode 100644 etc/nginx/nginx-rootless.conf create mode 100644 etc/nginx/nginx.conf create mode 100644 etc/nginx/proxy_params create mode 100644 etc/nginx/ssl_params diff --git a/.gitea/workflows/alpine-dockerio.yaml b/.gitea/workflows/alpine-dockerio.yaml new file mode 100644 index 0000000..c7d74ab --- /dev/null +++ b/.gitea/workflows/alpine-dockerio.yaml @@ -0,0 +1,60 @@ +name: Build and Push Alpine NGINX Image to docker.io Registry +on: + push: + branches: + - master + +jobs: + build: + name: Build and push image (root user) + runs-on: ubuntu-latest + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + steps: + - name: Check out repository code + uses: actions/checkout@v3 + - name: Login to docker.io Registry + uses: docker/login-action@v3 + with: + registry: docker.io + username: aprimediet + password: ${{ secrets.DOCKER_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfile.alpine + build-args: | + REGISTRY_URL=aprimediet + push: true + tags: | + aprimediet/nginx:alpine + aprimediet/nginx:latest-alpine + aprimediet/nginx:latest + build-rootless: + name: Build and push image (rootless) + runs-on: ubuntu-latest + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + steps: + - name: Check out repository code + uses: actions/checkout@v3 + - name: Login to docker.io Registry + uses: docker/login-action@v3 + with: + registry: docker.io + username: aprimediet + password: ${{ secrets.DOCKER_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfile.alpine-rootless + build-args: | + REGISTRY_URL=aprimediet + push: true + tags: | + aprimediet/nginx:rootless-alpine + aprimediet/nginx:rootless + aprimediet/nginx:latest-rootless-alpine + aprimediet/nginx:latest-rootless diff --git a/.gitea/workflows/alpine-winter.yaml b/.gitea/workflows/alpine-winter.yaml new file mode 100644 index 0000000..debbcfa --- /dev/null +++ b/.gitea/workflows/alpine-winter.yaml @@ -0,0 +1,56 @@ +name: Build and Push Alpine NodeJS Image to Winter Access Registry +on: + push: + branches: + - master + +jobs: + build: + name: Build and push image (Root User) + runs-on: ubuntu-latest + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + steps: + - name: Check out repository code + uses: actions/checkout@v3 + - name: Login to Docker Winter Access Git Registry + uses: docker/login-action@v3 + with: + registry: git.winteraccess.id + username: aditya.prima + password: ${{ secrets.PATOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfile.alpine + push: true + tags: | + git.winteraccess.id/${{ gitea.repository }}:alpine + git.winteraccess.id/${{ gitea.repository }}:latest-alpine + git.winteraccess.id/${{ gitea.repository }}:latest + build-rootless: + name: Build and push image (rootless) + runs-on: ubuntu-latest + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + steps: + - name: Check out repository code + uses: actions/checkout@v3 + - name: Login to Docker Winter Access Git Registry + uses: docker/login-action@v3 + with: + registry: git.winteraccess.id + username: aditya.prima + password: ${{ secrets.PATOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + file: Dockerfile.alpine-rootless + push: true + tags: | + git.winteraccess.id/${{ gitea.repository }}:rootless-alpine + git.winteraccess.id/${{ gitea.repository }}:rootless + git.winteraccess.id/${{ gitea.repository }}:latest-rootless-alpine + git.winteraccess.id/${{ gitea.repository }}:latest-rootless \ No newline at end of file diff --git a/Dockerfile.alpine b/Dockerfile.alpine new file mode 100644 index 0000000..1f5b7f8 --- /dev/null +++ b/Dockerfile.alpine @@ -0,0 +1,29 @@ +ARG REGISTRY_URL=git.winteraccess.id/docker +ARG ALPINE_VERSION=3.20 + +FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION} +LABEL maintainer=" aprimediet@gmail.com" + +WORKDIR / + +# INSTALL WGET AND REQUIRED BUILD TOOLS +RUN --mount=type=cache,target=/var/cache/apk \ + apk update && apk upgrade && apk add \ + nginx nginx-mod-http-naxsi + +# COPY CONFIGURATION FILES +ADD ./etc/nginx/nginx.conf /etc/nginx/ +ADD ./etc/nginx/naxsi_core.rules /etc/nginx/ +ADD ./etc/nginx/proxy_params /etc/nginx/ +ADD ./etc/nginx/ssl_params /etc/nginx/ +ADD ./etc/nginx/conf.d /etc/nginx/conf.d + +ADD ./app /app + +# CLEAR CACHE +RUN apk del curl && \ + rm -rf /var/cache/apk/* + +CMD ["nginx"] + +EXPOSE 80 \ No newline at end of file diff --git a/Dockerfile.alpine-rootless b/Dockerfile.alpine-rootless new file mode 100644 index 0000000..a62a4c0 --- /dev/null +++ b/Dockerfile.alpine-rootless @@ -0,0 +1,38 @@ +ARG REGISTRY_URL=git.winteraccess.id/docker +ARG ALPINE_VERSION=3.20 + +FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION} +LABEL maintainer=" aprimediet@gmail.com" + +WORKDIR / + +# ADD USER +RUN addgroup -g 1001 nginx && adduser -D -u 1001 -G nginx -s /bin/bash -h /app nginx + +# INSTALL WGET AND REQUIRED BUILD TOOLS +RUN --mount=type=cache,target=/var/cache/apk \ + apk update && apk upgrade && apk add \ + nginx nginx-mod-http-naxsi + +# COPY CONFIGURATION FILES +ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf +ADD ./etc/nginx/naxsi_core.rules /etc/nginx/ +ADD ./etc/nginx/proxy_params /etc/nginx/ +ADD ./etc/nginx/ssl_params /etc/nginx/ +ADD ./etc/nginx/conf.d /etc/nginx/conf.d + +ADD ./app /app + +RUN touch /var/run/nginx.pid && chown nginx:nginx /var/run/nginx.pid + +# CLEAR CACHE +RUN apk del curl && \ + rm -rf /var/cache/apk/* + +# SET AS USER NODE +WORKDIR /app +USER nginx + +# CMD ["nginx"] + +EXPOSE 80 \ No newline at end of file diff --git a/app/index.html b/app/index.html new file mode 100644 index 0000000..ec5306e --- /dev/null +++ b/app/index.html @@ -0,0 +1,29 @@ + + + +Welcome to nginx! + + + +

Welcome to nginx!

+

The aprimediet/nginx variant.

+

If you see this page, the nginx web server is successfully installed and +working. Further configuration is required.

+ +

For online documentation and support please refer to +nginx.org.
+Commercial support is available at +nginx.com.

+ +

For online documentation specific to the aprimediet/nginx,
+please refer to aprimediet/docker-nginx.

+ +

Thank you for using nginx.

+ + \ No newline at end of file diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf new file mode 100644 index 0000000..58682ea --- /dev/null +++ b/etc/nginx/conf.d/default.conf @@ -0,0 +1,16 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + root /app; + index index.html; + + location / { + try_files $uri $uri/ =404; + } + + location ~* .(jpg|jpeg|png|gif|ico|css|js)$ { + expires 30d; + } +} \ No newline at end of file diff --git a/etc/nginx/naxsi_core.rules b/etc/nginx/naxsi_core.rules new file mode 100644 index 0000000..8b40fa8 --- /dev/null +++ b/etc/nginx/naxsi_core.rules @@ -0,0 +1,91 @@ +################################## +## INTERNAL RULES IDS:1-999 ## +################################## +#@MainRule "msg:weird request, unable to parse" id:1; +#@MainRule "msg:request too big, stored on disk and not parsed" id:2; +#@MainRule "msg:invalid hex encoding, null bytes" id:10; +#@MainRule "msg:unknown content-type" id:11; +#@MainRule "msg:invalid formatted url" id:12; +#@MainRule "msg:invalid POST format" id:13; +#@MainRule "msg:invalid POST boundary" id:14; +#@MainRule "msg:invalid JSON" id:15; +#@MainRule "msg:empty POST" id:16; +#@MainRule "msg:libinjection_sql" id:17; +#@MainRule "msg:libinjection_xss" id:18; +#@MainRule "msg:no generic rules" id:19; +#@MainRule "msg:bad utf8" id:20; + + + +################################## +## SQL Injections IDs:1000-1099 ## +################################## +MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; +MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; +MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; +## Hardcore rules +MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; +MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; +MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; +MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; +## end of hardcore rules +MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; +MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; +MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; +MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; +MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; +MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; +MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; +MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; +MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017; + +############################### +## OBVIOUS RFI IDs:1100-1199 ## +############################### +MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; +MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; +MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; +MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; +MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104; +MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105; +MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106; +MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107; +MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108; +MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109; +MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110; +MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111; +MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112; +MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113; + +####################################### +## Directory traversal IDs:1200-1299 ## +####################################### +MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; +MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; +MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; +MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; +MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; +#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; +MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207; + +######################################## +## Cross Site Scripting IDs:1300-1399 ## +######################################## +MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; +MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; +MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; +MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; +MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; +MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; +MainRule "rx:%[23]." "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; + +#################################### +## Evading tricks IDs: 1400-1500 ## +#################################### +MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; +MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; + +############################# +## File uploads: 1500-1600 ## +############################# +MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; \ No newline at end of file diff --git a/etc/nginx/nginx-rootless.conf b/etc/nginx/nginx-rootless.conf new file mode 100644 index 0000000..7bff90f --- /dev/null +++ b/etc/nginx/nginx-rootless.conf @@ -0,0 +1,69 @@ +# /etc/nginx/nginx.conf + +# Do not start as daemon +daemon off; + +worker_processes auto; +worker_rlimit_nofile 100000; + +# Set log to stderr +error_log stderr warn; +pid /var/run/nginx.pid; + +include /etc/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + include /etc/nginx/naxsi_core.rules; + default_type application/octet-stream; + server_tokens off; + keepalive_timeout 15; + sendfile on; + tcp_nodelay on; + + log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$gzip_ratio"'; + + # Do not log access + access_log /dev/stdout custom_log; + + # SSL + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:2m; + + # buffering causes issues, disable it + # increase buffer size. still useful even when buffering is off + proxy_buffering off; + proxy_buffer_size 4k; + + # Buffer size + client_body_buffer_size 10k; + client_header_buffer_size 1k; + client_max_body_size 8m; + large_client_header_buffers 2 1k; + + # Timeouts + client_body_timeout 12; + client_header_timeout 12; + send_timeout 10; + + # GZip Compression + gzip on; + gzip_http_version 1.0; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 1280; + gzip_buffers 128 4k; + # gzip_proxied expired no-cache no-store private auth; + gzip_proxied any; + gzip_disable "msie6"; + # gzip_types text/plain application/x-javascript text/xml text/css application/xml; + gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; + + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 0000000..1cae672 --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,71 @@ +# /etc/nginx/nginx.conf + +user root; + +# Do not start as daemon +daemon off; + +worker_processes auto; +worker_rlimit_nofile 100000; + +# Set log to stderr +error_log stderr warn; +pid /var/run/nginx.pid; + +include /etc/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + include /etc/nginx/naxsi_core.rules; + default_type application/octet-stream; + server_tokens off; + keepalive_timeout 15; + sendfile on; + tcp_nodelay on; + + log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$gzip_ratio"'; + + # Do not log access + access_log /dev/stdout custom_log; + + # SSL + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:2m; + + # buffering causes issues, disable it + # increase buffer size. still useful even when buffering is off + proxy_buffering off; + proxy_buffer_size 4k; + + # Buffer size + client_body_buffer_size 10k; + client_header_buffer_size 1k; + client_max_body_size 8m; + large_client_header_buffers 2 1k; + + # Timeouts + client_body_timeout 12; + client_header_timeout 12; + send_timeout 10; + + # GZip Compression + gzip on; + gzip_http_version 1.0; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 1280; + gzip_buffers 128 4k; + # gzip_proxied expired no-cache no-store private auth; + gzip_proxied any; + gzip_disable "msie6"; + # gzip_types text/plain application/x-javascript text/xml text/css application/xml; + gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp; + + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/etc/nginx/proxy_params b/etc/nginx/proxy_params new file mode 100644 index 0000000..11c0f2c --- /dev/null +++ b/etc/nginx/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; \ No newline at end of file diff --git a/etc/nginx/ssl_params b/etc/nginx/ssl_params new file mode 100644 index 0000000..db1efbe --- /dev/null +++ b/etc/nginx/ssl_params @@ -0,0 +1,22 @@ +# secure nginx, see https://cipherli.st/ + +ssl_protocols TLSv1.3 +ssl_prefer_server_ciphers off; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; # Requires nginx >= 1.5.9 +ssl_stapling on; # Requires nginx >= 1.3.7 +ssl_stapling_verify on; # Requires nginx => 1.3.7 +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; + +# https://hstspreload.org +add_header Strict-Transport-Security "max-age=63072000" always; +# By default, HSTS header is not added to subdomain requests. If you have subdomains and want +# HSTS to apply to all of them, you should add the includeSubDomains variable like this: +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; + +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Robots-Tag none; \ No newline at end of file