Move security-related HTTP response headers from Rust to nginx.conf

config/nginx.conf.erb

@@ -1,3 +1,21 @@
+<%
+def s3_host(env)
+	cdn = env['S3_CDN']
+	if cdn and !cdn.empty?
+		return cdn
+	end
+
+	region = env['S3_REGION']
+	bucket = env['S3_BUCKET']
+
+	if region and !region.empty?
+		region = "-#{region}"
+	end
+
+	return "#{bucket}.s3#{region}.amazonaws.com"
+end
+%>
+
 daemon off;
 #Heroku dynos have at least 4 cores.
 worker_processes <%= ENV['NGINX_WORKERS'] || 4 %>;
@@ -121,6 +139,11 @@ http {
 			expires max;
 		}
 
+		add_header X-Content-Type-Options "nosniff";
+		add_header X-Frame-Options "SAMEORIGIN";
+		add_header X-XSS-Protection "1; mode=block";
+		add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://docs.rs https://<%= s3_host(ENV) %>; script-src 'self' 'unsafe-eval' https://www.google.com; style-src 'self' https://www.google.com https://ajax.googleapis.com; img-src *; object-src 'none'";
+
 		add_header Strict-Transport-Security "max-age=31536000" always;
 		add_header Vary 'Accept, Accept-Encoding, Cookie';
 		proxy_set_header Host $http_host;

src/middleware.rs

@@ -15,7 +15,6 @@ use self::debug::*;
 use self::ember_index_rewrite::EmberIndexRewrite;
 use self::head::Head;
 use self::log_connection_pool_status::LogConnectionPoolStatus;
-use self::security_headers::SecurityHeaders;
 use self::static_or_continue::StaticOrContinue;
 
 pub mod app;
@@ -28,7 +27,6 @@ mod head;
 mod log_connection_pool_status;
 mod log_request;
 mod require_user_agent;
-mod security_headers;
 mod static_or_continue;
 
 use conduit_conditional_get::ConditionalGet;
@@ -74,9 +72,6 @@ pub fn build_middleware(app: Arc<App>, endpoints: R404) -> MiddlewareBuilder {
         env == Env::Production,
     ));
 
-    if env == Env::Production {
-        m.add(SecurityHeaders::new(&config.uploader));
-    }
     m.add(AppMiddleware::new(app));
 
     // Parse and save the user_id from the session cookie as part of the authentication logic