From 1faf7ed68660580f2c09bc6ba9c35cecc749fc4c Mon Sep 17 00:00:00 2001
From: Pinga <121483313+getpinga@users.noreply.github.com>
Date: Fri, 1 Dec 2023 22:20:05 +0200
Subject: [PATCH] Some more security instructions

---
 docs/install.md | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/docs/install.md b/docs/install.md
index 23183c2..f6f0959 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -12,7 +12,7 @@ apt update && apt upgrade
 apt install -y bzip2 caddy composer curl gettext git gnupg2 net-tools php8.2 php8.2-bcmath php8.2-cli php8.2-common php8.2-curl php8.2-fpm php8.2-gd php8.2-gmp php8.2-gnupg php8.2-imap php8.2-intl php8.2-mbstring php8.2-opcache php8.2-readline php8.2-swoole php8.2-xml pv unzip wget whois
 ```
 
-### Configure OPcache
+### Configure PHP
 
 Edit the PHP Configuration Files:
 
@@ -21,16 +21,21 @@ nano /etc/php/8.2/cli/php.ini
 nano /etc/php/8.2/fpm/php.ini
 ```
 
-Locate or add these lines in ```php.ini```:
+Locate or add these lines in ```php.ini```, also replace ```example.com``` with your registry domain name:
 
 ```bash
 opcache.enable=1
 opcache.enable_cli=1
 opcache.jit_buffer_size=100M
 opcache.jit=1255
+
+session.cookie_secure = 1
+session.cookie_httponly = 1
+session.cookie_samesite = "Strict"
+session.cookie_domain = example.com
 ```
 
-After configuring OPcache and JIT, restart the PHP service to apply changes:
+After configuring PHP, restart the service to apply changes:
 
 ```bash
 systemctl restart php8.2-fpm
@@ -96,6 +101,16 @@ rdap.example.com {
     encode gzip
     file_server
     tls your-email@example.com
+    header * {
+        Referrer-Policy "no-referrer"
+        Strict-Transport-Security max-age=31536000;
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        X-XSS-Protection "1; mode=block"
+        Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src https:; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; worker-src 'none'; frame-src 'none';"
+        Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'none'; usb 'none'; vr 'none';"
+        Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), speaker=(), usb=(), vr=();
+    }
 }
 
 whois.example.com {
@@ -105,6 +120,16 @@ whois.example.com {
     php_fastcgi unix//run/php/php8.2-fpm.sock
     file_server
     tls your-email@example.com
+    header * {
+        Referrer-Policy "no-referrer"
+        Strict-Transport-Security max-age=31536000;
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        X-XSS-Protection "1; mode=block"
+        Content-Security-Policy: default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src https:; font-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; script-src 'none'; form-action 'self'; worker-src 'none'; frame-src 'none';
+        Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'none'; usb 'none'; vr 'none';"
+        Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), speaker=(), usb=(), vr=();
+    }
 }
 
 cp.example.com {
@@ -127,6 +152,16 @@ cp.example.com {
         root * /usr/share/adminer
         php_fastcgi unix//run/php/php8.2-fpm.sock
     }
+    header * {
+        Referrer-Policy "no-referrer"
+        Strict-Transport-Security max-age=31536000;
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        X-XSS-Protection "1; mode=block"
+        Content-Security-Policy "default-src 'none'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; img-src https:; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'none'; form-action 'self'; worker-src 'none'; frame-src 'none';"
+        Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'none'; usb 'none'; vr 'none';"
+        Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), speaker=(), usb=(), vr=();
+    }
 }
 ```