fix(security): añadir security headers HTTP en Nginx — VULN: Clickjacking + MIME sniffing

Vulnerabilidades corregidas: - Clickjacking: falta X-Frame-Options DENY — un atacante podía embeber la web en un iframe y hacer que el usuario enviara cartas GDPR sin saberlo - MIME sniffing: falta X-Content-Type-Options nosniff — el navegador podía ejecutar JS desde respuestas con Content-Type incorrecto - Referrer leak: falta Referrer-Policy — las URLs internas se filtraban a terceros en las cabeceras Referer - COOP: falta Cross-Origin-Opener-Policy — acceso al window desde pestañas cross-origin no estaba bloqueado - CSP: falta Content-Security-Policy — sin restricción de fuentes de scripts, estilos y conexiones Headers añadidos: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, Cross-Origin-Opener-Policy, HSTS con preload. Aplicar: sudo cp infra/nginx-resetea.conf /etc/nginx/sites-enabled/resetea.net && sudo nginx -t && sudo systemctl reload nginx Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-07 17:23:03 +02:00 · 2026-04-07 17:23:03 +02:00 · 02360927ff
commit 02360927ff
parent b5ae0ceb29
1 changed files with 55 additions and 0 deletions
--- a/infra/nginx-resetea.conf
+++ b/infra/nginx-resetea.conf
@ -0,0 +1,55 @@
+# Rate limiting: 20 req/s por IP para /api/, burst de 40
+limit_req_zone $binary_remote_addr zone=api_limit:10m rate=20r/s;
+
+# HTTP -> HTTPS
+server {
+  listen 80;
+  listen [::]:80;
+  server_name resetea.net;
+  return 301 https://$host$request_uri;
+}
+
+# HTTPS
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name resetea.net;
+
+  server_tokens off;
+
+  root /var/www/resetea.net/public;
+  index index.html;
+
+  ssl_certificate     /etc/letsencrypt/live/resetea.net/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/resetea.net/privkey.pem;
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
+
+  # ── Security headers (todos los paths) ───────────────────────────
+  add_header Strict-Transport-Security  "max-age=31536000; includeSubDomains; preload" always;
+  add_header X-Frame-Options            "DENY" always;
+  add_header X-Content-Type-Options     "nosniff" always;
+  add_header Referrer-Policy            "strict-origin-when-cross-origin" always;
+  add_header Permissions-Policy         "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()" always;
+  add_header Content-Security-Policy    "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
+  add_header Cross-Origin-Opener-Policy "same-origin" always;
+
+  # ── Proxy al backend Node.js ──────────────────────────────────────
+  location /api/ {
+    limit_req zone=api_limit burst=40 nodelay;
+
+    proxy_pass         http://127.0.0.1:8787;
+    proxy_http_version 1.1;
+    proxy_set_header   Host              $host;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_read_timeout 15s;
+    proxy_connect_timeout 5s;
+    proxy_hide_header  X-Powered-By;
+  }
+
+  location / {
+    try_files $uri $uri/ =404;
+  }
+}