# Rate limiting: 20 req/s por IP para /api/, burst de 40 limit_req_zone $binary_remote_addr zone=api_limit:10m rate=20r/s; # HTTP -> HTTPS server { listen 80; listen [::]:80; server_name resetea.net; return 301 https://$host$request_uri; } # HTTPS server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name resetea.net; server_tokens off; root /var/www/resetea.net/public; index index.html; ssl_certificate /etc/letsencrypt/live/resetea.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/resetea.net/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # ── Security headers (todos los paths) ─────────────────────────── add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()" always; add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always; add_header Cross-Origin-Opener-Policy "same-origin" always; # ── Proxy al backend Node.js ────────────────────────────────────── location /api/ { limit_req zone=api_limit burst=40 nodelay; proxy_pass http://127.0.0.1:8787; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 15s; proxy_connect_timeout 5s; proxy_hide_header X-Powered-By; } location / { try_files $uri $uri/ =404; } }