location / { # Path to source alias __FINALPATH__/web/; index index.php; client_max_body_size 500M; try_files $uri $uri/ index.php; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; } # security headers more_set_headers "Strict-Transport-Security: max-age=63072000"; more_set_headers "X-XSS-Protection: 0"; more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "Content-Security-Policy: default-src 'self' data:; script-src 'self'; connect-src 'self' blob: https://get.elabftw.net; img-src 'self' data: blob: https://www.cornify.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; base-uri 'none'; frame-ancestors 'none'"; more_set_headers "Referrer-Policy: no-referrer"; more_set_headers "Feature-Policy: autoplay 'none'; camera 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none'"; more_set_headers "Vary: Accept-Encoding"; }