Skip to content
This repository has been archived by the owner on Aug 21, 2022. It is now read-only.

Commit

Permalink
chore(release): 1.2.1 [skip ci]
Browse files Browse the repository at this point in the history
## [1.2.1](v1.2.0...v1.2.1) (2021-01-08)

### Bug Fixes

* **ssl:** use intermediate security policy ([482f78b](482f78b))
  • Loading branch information
stackhead-bot committed Jan 8, 2021
1 parent a272874 commit 0ee88fa
Show file tree
Hide file tree
Showing 7 changed files with 14 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@
# something like `*.css?v231`, please see:
# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/

location ~* (.+)\.(?:\w+)\.(avifs?|bmp|css|cur|gif|ico|jpe?g|m?js|a?png|svgz?|webp|webmanifest)$ {
location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {
try_files $uri $1.$2;
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# Mitigate the risk of cross-site scripting and other content-injection
# attacks.
#
# This can be done by setting a Content Security Policy which permits
# This can be done by setting a `Content Security Policy` which whitelists
# trusted sources of content for your website.
#
# There is no policy that fits all websites, you will have to modify the
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
# web browsers.
#
# The filter is usually enabled by default, but in some cases, it may be
# disabled by the user. However, in Internet Explorer, for example, it can
# be re-enabled just by sending the `X-XSS-Protection` header with the
# value of `1`.
# disabled by the user. However, in Internet Explorer, for example, it can be
# re-enabled just by sending the `X-XSS-Protection` header with the value
# of `1`.
#
# (2) Prevent web browsers from rendering the web page if a potential reflected
# (a.k.a non-persistent) XSS attack is detected by the filter.
Expand Down
4 changes: 2 additions & 2 deletions vendor/server-configs-nginx/h5bp/ssl/certificate_files.conf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
# users of IE 8 and below on WinXP can see your main site without SSL errors.
#
# (1) Certificate and key files location
# The certificate file can contain an intermediate certificate.
# The certificate file can contain intermediate certificate.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
#
Expand All @@ -17,7 +17,7 @@
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
#
# (3) CA certificate file location for client certificate authentication.
# (3) CA certificate file location for client certificate authentication
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate

Expand Down
6 changes: 3 additions & 3 deletions vendor/server-configs-nginx/h5bp/ssl/policy_intermediate.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@
# For services that don't need backward compatibility, the parameters below
# provide a higher level of security.
#
# (!) This policy enforces a mildly strong SSL configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use the "deprecated" policy.
# (!) This policy enforces a strong SSL configuration, which may raise errors
# with old clients.
# If a more compatible profile is required, use the intermediate policy.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# and potentially vulnerable but are required to support Microsoft Edge
Expand Down
7 changes: 3 additions & 4 deletions vendor/server-configs-nginx/h5bp/ssl/policy_modern.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# For services that want to be on the bleeding edge, the parameters below
# sacrifice compatibility for the highest level of security and performance.
#
# (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
# to be installed.
#
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
Expand All @@ -23,9 +23,8 @@
#
# (!) Requests sent within early data are subject to replay attacks.
# To protect against such attacks at the application layer, the
# `$ssl_early_data` variable should be used:
#
# proxy_set_header Early-Data $ssl_early_data;
# $ssl_early_data variable should be used:
# proxy_set_header Early-Data $ssl_early_data;
#
# The application should return response code 425 "Too Early" for anything
# that could contain user supplied data.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
# (!) To make this part relevant, you need to generate encoded files by your
# own. Enabling this part will not auto-generate brotlied files.
#
# Note that some clients (e.g. browsers) require a secure connection to request
# Note that some clients (eg. browsers) require a secure connection to request
# brotli-compressed resources.
# https://www.chromestatus.com/feature/5420797577396224
#
Expand Down

0 comments on commit 0ee88fa

Please sign in to comment.