From 02360927ffb0512a92dc92fde0c4f6d6024d56db Mon Sep 17 00:00:00 2001 From: hacklab Date: Tue, 7 Apr 2026 17:23:03 +0200 Subject: [PATCH] =?UTF-8?q?fix(security):=20a=C3=B1adir=20security=20heade?= =?UTF-8?q?rs=20HTTP=20en=20Nginx=20=E2=80=94=20VULN:=20Clickjacking=20+?= =?UTF-8?q?=20MIME=20sniffing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Vulnerabilidades corregidas: - Clickjacking: falta X-Frame-Options DENY — un atacante podía embeber la web en un iframe y hacer que el usuario enviara cartas GDPR sin saberlo - MIME sniffing: falta X-Content-Type-Options nosniff — el navegador podía ejecutar JS desde respuestas con Content-Type incorrecto - Referrer leak: falta Referrer-Policy — las URLs internas se filtraban a terceros en las cabeceras Referer - COOP: falta Cross-Origin-Opener-Policy — acceso al window desde pestañas cross-origin no estaba bloqueado - CSP: falta Content-Security-Policy — sin restricción de fuentes de scripts, estilos y conexiones Headers añadidos: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, Cross-Origin-Opener-Policy, HSTS con preload. Aplicar: sudo cp infra/nginx-resetea.conf /etc/nginx/sites-enabled/resetea.net && sudo nginx -t && sudo systemctl reload nginx Co-Authored-By: Claude Sonnet 4.6 --- infra/nginx-resetea.conf | 55 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 infra/nginx-resetea.conf diff --git a/infra/nginx-resetea.conf b/infra/nginx-resetea.conf new file mode 100644 index 0000000..41812e9 --- /dev/null +++ b/infra/nginx-resetea.conf @@ -0,0 +1,55 @@ +# Rate limiting: 20 req/s por IP para /api/, burst de 40 +limit_req_zone $binary_remote_addr zone=api_limit:10m rate=20r/s; + +# HTTP -> HTTPS +server { + listen 80; + listen [::]:80; + server_name resetea.net; + return 301 https://$host$request_uri; +} + +# HTTPS +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name resetea.net; + + server_tokens off; + + root /var/www/resetea.net/public; + index index.html; + + ssl_certificate /etc/letsencrypt/live/resetea.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/resetea.net/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + # ── Security headers (todos los paths) ─────────────────────────── + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options "DENY" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()" always; + add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + + # ── Proxy al backend Node.js ────────────────────────────────────── + location /api/ { + limit_req zone=api_limit burst=40 nodelay; + + proxy_pass http://127.0.0.1:8787; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 15s; + proxy_connect_timeout 5s; + proxy_hide_header X-Powered-By; + } + + location / { + try_files $uri $uri/ =404; + } +}