Merge remaining commits from Gitlab repo

Author: pothi

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Pothi Kalimuthu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -37,6 +37,7 @@ There are multiplpe advantages of using this repo as your go-to nginx configurat
 + Mitigate [httpoxy](https://httpoxy.org/) vulnerability.
 + [HSTS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) support.
 + All hidden and backup files are forbidden by default.
++ Passes most security features in [Sonar Scanner](https://sonarwhal.com/scanner/).
 
 ## Compatibility
 

conf.d/common.conf

@@ -42,3 +42,13 @@ map $status $loggable {
 }
 
 # -------------------------------------------------------------------
+
+# https://jdh8.github.io/charset-for-text-on-nginx/
+map $sent_http_content_type $charset {
+    ~^text/   utf-8;
+}
+
+charset       $charset;
+charset_types *;
+
+# -------------------------------------------------------------------

globals/assets.conf

@@ -11,6 +11,7 @@ location ~ \.(?:css|js)$ {
     expires max;
     log_not_found off;
     access_log off;
+    add_header X-Content-Type-Options "nosniff";
 }
 
 # Web fonts needs some special care

globals/restrictions.conf

@@ -6,11 +6,11 @@ location /.git { deny all; }
 location /.htaccess { deny all; }
 location /.htpasswd { deny all; }
 location /.user.ini { deny all; }
-# all remaining dot files
+# this actually covers every dot file, except what follows below it (ex: CertBot)
 location ~ ^/\. { deny all; }
 
 # but allow CertBot - see http://stackoverflow.com/a/34262192
-location ^~ /.well-known {
+location ^~ /.well-known/acme-challenge {
     auth_basic off;
     try_files $uri =404;
     expires -1;

globals/wprocket.conf

@@ -51,7 +51,7 @@ location / {
 
 location @mobileaccess {
     # try_files $uri $uri/ /index.php$is_args$args;
-    try_files "/wp-content/cache/wp-rocket/$host${uri}index$wpsc_https-mobile.html" $uri $uri/ /index.php$is_args$args;
+    try_files "/wp-content/cache/wp-rocket/$host${uri}index-mobile$wpsc_https.html" $uri $uri/ /index.php$is_args$args;
 
     add_header "X-Cache" "HIT - Mobile - WP Rocket Cache";
     # include "globals/hsts.conf";