diff --git a/nginx/nginx.conf b/nginx/nginx.conf index bfb932b2..0514bcbd 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -202,12 +202,19 @@ http { try_files $uri.html =404; } + location = /favicon.ico { + include snippets/security-headers.conf; + # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880 + add_header Cross-Origin-Resource-Policy "cross-origin" always; + add_header Cache-Control "public, max-age=604800"; + } + # broken link (now fixed) on https://noagendaphone.com/ with UTF-8 replacement character location ~ "^/\xEF\xBF\xBC$" { return 301 /; } - location ~ "\.(ico|webmanifest)$" { + location ~ "\.webmanifest$" { include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cache-Control "public, max-age=604800"; @@ -221,6 +228,8 @@ http { location ~ "\.svg$" { include snippets/security-headers.conf; + # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880 + add_header Cross-Origin-Resource-Policy "cross-origin" always; add_header Cache-Control "public, max-age=31536000"; } @@ -234,6 +243,8 @@ http { location ~ "\.png$" { include snippets/security-headers.conf; + # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880 + add_header Cross-Origin-Resource-Policy "cross-origin" always; add_header Cache-Control "public, max-age=31536000"; gzip_static off; brotli_static off;