TIL how to configure additional headers in Gitlab’s nginx
Recently, I had to configure some security headers in GitLab. GitLab uses Nginx as its web server, and it allows for easy configuration changes for some settings. For instance, enabling HTTP to HTTPS redirection can be done simply by setting nginx['redirect_http_to_https'] = true in the gitlab.rb configuration file.
However, adding custom headers for security, particularly those that control cross-origin policies, requires a bit more work. These headers are essential for preventing certain types of attacks and ensuring better isolation between websites.
I needed to set three headers: Cross-Origin-Opener-Policy (COOP ), Cross-Origin-Embedder-Policy (COEP ), and Cross-Origin-Resource-Policy (CORP ). These headers are used to prevent cross-origin attacks, such as Spectre, and ensure that only resources from trusted origins can interact with the site.
COOP ensures that the window or tab in which the site is running is isolated from any other cross-origin content. COEP guarantees that cross-origin resources can only be embedded if they explicitly grant permission. CORP restricts which origins can access certain resources, preventing untrusted external sites from accessing sensitive content.
