From abdb5a9fcc72afa0213bd2c6318215a3b3426483 Mon Sep 17 00:00:00 2001
From: root <root@sides-tck.tck.com.my>
Date: Thu, 28 May 2026 16:40:35 +0800
Subject: [PATCH] =?UTF-8?q?fix(security):=20resolve=20F-23=20=E2=80=94=20a?=
 =?UTF-8?q?dd=20Referrer-Policy=20and=20CSP=20headers=20to=20Nginx=20confi?=
 =?UTF-8?q?g?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docker/nginx/default.conf | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
index a40c31ce..1b1734d3 100644
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -5,9 +5,11 @@ server {
     access_log /var/log/nginx/access.log;
     root /var/www/html/public;
 
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-XSS-Protection "1; mode=block";
-    add_header X-Content-Type-Options "nosniff";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://unpkg.com https://fonts.googleapis.com; img-src 'self' data: https://*.tile.openstreetmap.org; font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; connect-src 'self' https://*.tile.openstreetmap.org;" always;
 
     charset utf-8;