levineuwirth.org

Commit Graph

Author	SHA1	Message	Date
Levi Neuwirth	59fcc15ca6	nginx: preserve security baseline in every location; install on VPS add_header is non-additive: any location declaring its own add_header drops all server-context headers. archive.conf already re-included the baseline for exactly this reason, but static-assets.conf (four cache locations — including the JS/CSS responses where nosniff matters most) and popup-proxy.conf (three proxy locations) did not. All seven now re-include snippets/security-headers.conf. Proxy locations additionally hide the upstream's own STS/CSP/X-Frame-Options before re-adding ours: browsers honor only the FIRST Strict-Transport-Security header (RFC 6797 §8.1), so arXiv's max-age=300 passing through ahead of ours would have downgraded the domain's cached HSTS policy on every popup fetch. Server side (installed + verified live): security-headers.conf and archive.conf wired into the vhost in vhost.conf.example's canonical order; nginx-mod-brotli installed and loaded, so the .br sidecars compress-assets.sh has always shipped are now actually served (Content-Encoding: br verified). CSP remains Report-Only. Verified headers on /, /css/.css (baseline + Cache-Control together), /archive/ (baseline + X-Robots-Tag), and /proxy/ (baseline + X-Cache-Status, single STS). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-10 12:11:46 -04:00
Levi Neuwirth	87819501a5	nginx: ship security baseline, reference vhost, and tighter cache - Add nginx/security-headers.conf — server_tokens off, HSTS (1y + preload), X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy, and a usage-scoped CSP. CSP ships in Report-Only mode; promote to enforcing once the report stream is clean for a week. CSP allowlists are derived from actual usage (cdn.jsdelivr.net for KaTeX/Vega, *.basemaps.cartocdn.com for Leaflet tiles); 'unsafe-inline' and 'unsafe-eval' are documented inline. - Add nginx/vhost.conf.example — reference vhost showing the canonical include order. The live vhost on the VPS remains the source of truth; this file documents the structure so the VPS config can be reproduced or audited from the repo. - Shorten unfingerprinted CSS/JS cache from 24h to 1h. Bug fixes ship to warm clients within an hour; if assets are ever fingerprinted, this can move to immutable. - Refresh README repo layout — add nginx/ entry, drop stale paper/ and spec.md references that never existed in the working tree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 15:08:03 -04:00
Levi Neuwirth	6d2f9d12ae	PDF compression	2026-04-22 12:40:22 -04:00

Author

SHA1

Message

Date

Levi Neuwirth

59fcc15ca6

nginx: preserve security baseline in every location; install on VPS

add_header is non-additive: any location declaring its own add_header
drops all server-context headers. archive.conf already re-included the
baseline for exactly this reason, but static-assets.conf (four cache
locations — including the JS/CSS responses where nosniff matters most)
and popup-proxy.conf (three proxy locations) did not. All seven now
re-include snippets/security-headers.conf.

Proxy locations additionally hide the upstream's own
STS/CSP/X-Frame-Options before re-adding ours: browsers honor only the
FIRST Strict-Transport-Security header (RFC 6797 §8.1), so arXiv's
max-age=300 passing through ahead of ours would have downgraded the
domain's cached HSTS policy on every popup fetch.

Server side (installed + verified live): security-headers.conf and
archive.conf wired into the vhost in vhost.conf.example's canonical
order; nginx-mod-brotli installed and loaded, so the .br sidecars
compress-assets.sh has always shipped are now actually served
(Content-Encoding: br verified). CSP remains Report-Only. Verified
headers on /, /css/*.css (baseline + Cache-Control together),
/archive/ (baseline + X-Robots-Tag), and /proxy/* (baseline +
X-Cache-Status, single STS).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-10 12:11:46 -04:00

Levi Neuwirth

87819501a5

nginx: ship security baseline, reference vhost, and tighter cache

- Add nginx/security-headers.conf — server_tokens off, HSTS (1y +
  preload), X-Content-Type-Options, X-Frame-Options DENY,
  Referrer-Policy, Permissions-Policy, and a usage-scoped CSP. CSP
  ships in Report-Only mode; promote to enforcing once the report
  stream is clean for a week. CSP allowlists are derived from actual
  usage (cdn.jsdelivr.net for KaTeX/Vega, *.basemaps.cartocdn.com for
  Leaflet tiles); 'unsafe-inline' and 'unsafe-eval' are documented
  inline.
- Add nginx/vhost.conf.example — reference vhost showing the canonical
  include order. The live vhost on the VPS remains the source of
  truth; this file documents the structure so the VPS config can be
  reproduced or audited from the repo.
- Shorten unfingerprinted CSS/JS cache from 24h to 1h. Bug fixes ship
  to warm clients within an hour; if assets are ever fingerprinted,
  this can move to immutable.
- Refresh README repo layout — add nginx/ entry, drop stale paper/
  and spec.md references that never existed in the working tree.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-07 15:08:03 -04:00

Levi Neuwirth

6d2f9d12ae

PDF compression

2026-04-22 12:40:22 -04:00

3 Commits