Hello,
I’d like to add some headers to Gitlab to improve the security on our webpage.
I’ve tried 2 methods that i’ve seen but none seem to work as the security header checker we’ve used isn’t detecting any headers i add.
Method 1)
On gitlab.rb conf file i’ve added:
nginx[‘add_header’] = “X-Permitted-Cross-Domain-Policies none”
nginx[‘add_header’] = “Public-Key-Pins pin-sha256=‘X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=’”
nginx[‘add_header’] = “X-XSS-Protection ‘1; mode=block’”
Method 2)
On gitlab.rb conf file i’ve added:
nginx[‘custom_nginx_config’] = “include /etc/nginx/conf.d/*.conf;”
I then created the nginx.conf file with the content:;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-XSS-Protection “1; mode=block”;
add_header Public-Key-Pins ‘pin-sha256=“inyKoabkLrAbxcdYI/SIlPKHIL1fdkFf41q4ykVJXVk=”; pin-sha256=“8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8=”; max-age=2592000; includeSubDomains’;
The gitlab-ctl reconfigure retrieves no errors and acknowledges there were changes to the nginx config. But the headers aren’t recognized. Is there anything wrong with the config syntax?
Thank you for your help