Skip to content

upd: update the nginx proxy config#27

Merged
Zay-M3 merged 1 commit into
mainfrom
add/nginx-proxy
Apr 16, 2026
Merged

upd: update the nginx proxy config#27
Zay-M3 merged 1 commit into
mainfrom
add/nginx-proxy

Conversation

@Zay-M3
Copy link
Copy Markdown
Owner

@Zay-M3 Zay-M3 commented Apr 16, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Chores
    • Updated Nginx server-level configuration with enhanced request filtering for sensitive file types (environment, backup, and temporary files) and hidden files, with exceptions for well-known directories.
    • Added HTTP response headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) to server responses.

@Zay-M3 Zay-M3 self-assigned this Apr 16, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 16, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Added Nginx security controls to block hidden files and sensitive file extensions via regex location blocks, implemented security response headers including X-Frame-Options, X-Content-Type-Options, and Referrer-Policy, and made minor formatting adjustments to the configuration template.

Changes

Cohort / File(s) Summary
Nginx Security Hardening
app/proxy/nginx.conf.template		 Added server-level location blocks to deny access to hidden files (excluding /.well-known) and sensitive file extensions (.env, .log, .sql, .bak, .swp, .sh, .php). Added security response headers (X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin) with always directive. Minor formatting changes including blank line insertion in /api/ location block and EOF newline removal.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With whiskers twitching, I guard the gates,
Hidden files blocked before it's too late,
.env and secrets tucked safe away,
Headers standing watch night and day,
A fortified burrow, secure and tight! 🛡️

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is vague and overly generic, using non-descriptive terms like 'update' without specifying the actual security improvements made to the nginx configuration. Consider a more specific title such as 'Add nginx security headers and file access restrictions' to clearly convey the main changes.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add/nginx-proxy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
app/proxy/nginx.conf.template (1)

25-27: Use strict-origin-when-cross-origin for a stricter Referrer-Policy default.

At line 27, no-referrer-when-downgrade is permissive for HTTPS cross-origin scenarios. Modern security baselines (OWASP, MDN) recommend strict-origin-when-cross-origin as a stronger default unless explicitly required otherwise.

Proposed change 
-    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@app/proxy/nginx.conf.template` around lines 25 - 27, The Referrer-Policy
header currently uses "no-referrer-when-downgrade" which is permissive for HTTPS
cross-origin requests; update the nginx configuration line that sets the
Referrer-Policy (the add_header Referrer-Policy declaration) to use
"strict-origin-when-cross-origin" instead so the policy is stricter for
cross-origin referrals while preserving same-origin full referrers.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@app/proxy/nginx.conf.template`:
- Around line 25-27: The Referrer-Policy header currently uses
"no-referrer-when-downgrade" which is permissive for HTTPS cross-origin
requests; update the nginx configuration line that sets the Referrer-Policy (the
add_header Referrer-Policy declaration) to use "strict-origin-when-cross-origin"
instead so the policy is stricter for cross-origin referrals while preserving
same-origin full referrers.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 175218ef-6627-4620-bd4d-afb0a1cad1ee

📥 Commits

Reviewing files that changed from the base of the PR and between 5bb233b and 7cfc4c4.

📒 Files selected for processing (1)
  • app/proxy/nginx.conf.template

@Zay-M3 Zay-M3 merged commit 76a1e47 into main Apr 16, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@Zay-M3 Zay-M3

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Zay-M3