feat: implement centralized security headers and optimize SEO metadata and caching configuration

Author: igor-soldev

docker-compose.yml

@@ -33,6 +33,7 @@ services:
       - "443:443"
     volumes:
       - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./nginx/security_headers.inc:/etc/nginx/security_headers.inc:ro
       - ./static:/opt/infrascan/static:ro
       - ./certbot/conf:/etc/letsencrypt:ro
       - ./certbot/www:/var/www/certbot:ro

nginx/nginx.conf

@@ -22,11 +22,7 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 
     # Security headers for SEO
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    include /etc/nginx/security_headers.inc;
 
     client_max_body_size 10M;
 
@@ -41,28 +37,32 @@ server {
         proxy_send_timeout 600s;
 
         # Cache headers for HTML (no-cache to get fresh content, but browser can revalidate)
-        add_header Cache-Control "public, max-age=3600" always;
+        add_header Cache-Control "no-cache" always;
+        include /etc/nginx/security_headers.inc;
     }
 
     location /static/ {
         alias /opt/infrascan/static/;
         # Cache static assets for 1 year
         expires 365d;
-        add_header Cache-Control "public, immutable" always;
+        add_header Cache-Control "public, max-age=31536000, immutable" always;
+        include /etc/nginx/security_headers.inc;
     }
 
     location = /sitemap.xml {
         alias /opt/infrascan/static/sitemap.xml;
         # Cache sitemap for 24 hours
         add_header Cache-Control "public, max-age=86400" always;
         add_header Content-Type "application/xml; charset=utf-8" always;
+        include /etc/nginx/security_headers.inc;
     }
 
     location = /robots.txt {
         alias /opt/infrascan/static/robots.txt;
         # Cache robots.txt for 24 hours
         add_header Cache-Control "public, max-age=86400" always;
         add_header Content-Type "text/plain; charset=utf-8" always;
+        include /etc/nginx/security_headers.inc;
     }
 
     # Error pages

nginx/security_headers.inc

@@ -0,0 +1,6 @@
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://img.shields.io https://www.googletagmanager.com https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com; frame-ancestors 'self'; object-src 'none';" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;

static/robots.txt

@@ -2,12 +2,5 @@ User-agent: *
 Allow: /
 Allow: /api/
 
-# Block any malicious bots
-User-agent: AhrefsBot
-Disallow: /
+Sitemap: https://infrascan.soldevelo.com/sitemap.xml
 
-User-agent: SemrushBot
-Disallow: /
-
-User-agent: DotBot
-Disallow: /

templates/index.html

@@ -17,13 +17,15 @@
     <meta property="og:title" content="InfraScan - Free Infrastructure as Code Security Scanner">
     <meta property="og:description"
         content="Scan Infrastructure as Code for security vulnerabilities and cost optimization. Supports Terraform, CloudFormation, Kubernetes, and more.">
+    <meta property="og:image" content="{{ site_domain }}{{ url_for('static', filename='images/logo_transparent.png') }}">
 
     <!-- Twitter -->
     <meta property="twitter:card" content="summary">
     <meta property="twitter:url" content="{{ site_domain }}/">
     <meta property="twitter:title" content="InfraScan - Free Infrastructure as Code Security Scanner">
     <meta property="twitter:description"
         content="Scan Infrastructure as Code for security vulnerabilities and cost optimization. Supports Terraform, CloudFormation, Kubernetes, and more.">
+    <meta property="twitter:image" content="{{ site_domain }}{{ url_for('static', filename='images/logo_transparent.png') }}">
 
     <!-- Canonical -->
     <link rel="canonical" href="{{ site_domain }}/">
@@ -72,10 +74,9 @@
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
     <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap" rel="stylesheet">
-    <link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}?v={{ static_version }}">
-
     <!-- Preload critical resources -->
     <link rel="preload" as="style" href="{{ url_for('static', filename='style.css') }}?v={{ static_version }}">
+    <link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}?v={{ static_version }}">
 </head>
 
 <body>