Set CSP policy for static assets for security hardeninng

docs/installation/installation_guide-debian.md

@@ -232,7 +232,7 @@ sudo ln -s /etc/apache2/sites-available/partdb.conf /etc/apache2/sites-enabled/p
 Configure apache to show pretty URL paths for Part-DB (`/label/dialog` instead of `/index.php/label/dialog`):
 
 ```bash
-sudo a2enmod rewrite
+sudo a2enmod rewrite headers
 ```
 
 If you want to access Part-DB via the IP-Address of the server, instead of the domain name, you have to remove the

docs/installation/nginx.md

@@ -36,6 +36,10 @@ server {
     root /var/www/partdb/public;
 
     location / {
+        # Headers are set here for static assets. PHP responses are served via the index.php location
+        # below and inherit neither of these headers, so Nelmio's PHP-side CSP is unaffected.
+        add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; sandbox;" always;
+        add_header X-Content-Type-Options "nosniff" always;
         try_files $uri /index.php$is_args$args;
     }
 
@@ -57,10 +61,12 @@ server {
     location ~* ^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$ {
         return 403;
     }
-    
-    # Set Content-Security-Policy for svg files, to block embedded javascript in there
+
+    # SVG files get a slightly different CSP because they can embed resources and must not be framed.
+    # This regex location takes precedence over location /, so headers must be repeated here.
     location ~* \.svg$ {
-        add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; sandbox;" always;
+        add_header X-Content-Type-Options "nosniff" always;
     }
 
     error_log /var/log/nginx/parts.error.log;