conf.d/default.conf - openwhisk-apigateway - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 server {
     listen 80 default_server;

     server_tokens off;


     # config to don't allow the browser to render the page inside an frame or iframe
     # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
     # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
     # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
     add_header X-Frame-Options SAMEORIGIN;

     # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
     # to disable content-type sniffing on some browsers.
     # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
     # currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
     # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
     # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
     add_header X-Content-Type-Options nosniff;

     # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
     # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
     # this particular website if it was disabled by the user.
     # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
     add_header X-XSS-Protection "1; mode=block";

     #turn off the uninitialized_variable_warn ,as it writes to error_log , hence io
     uninitialized_variable_warn off;

     # default locations exposed on the default VHost and port
     include /etc/api-gateway/conf.d/includes/*.conf;
 }
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	server {
	listen 80 default_server;

	server_tokens off;


	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	#turn off the uninitialized_variable_warn ,as it writes to error_log , hence io
	uninitialized_variable_warn off;

	# default locations exposed on the default VHost and port
	include /etc/api-gateway/conf.d/includes/*.conf;
	}