Recently, I had to configure some security headers in GitLab. GitLab uses Nginx as its web server, and it allows for easy configuration changes for some settings. For instance, enabling HTTP to HTTPS redirection can be done simply by setting nginx['redirect_http_to_https'] = true in the gitlab.rb configuration file.
However, adding custom headers for security, particularly those that control cross-origin policies, requires a bit more work. These headers are essential for preventing certain types of attacks and ensuring better isolation between websites.
I needed to set three headers: Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), and Cross-Origin-Resource-Policy (CORP). These headers are used to prevent cross-origin attacks, such as Spectre, and ensure that only resources from trusted origins can interact with the site.
COOP ensures that the window or tab in which the site is running is isolated from any other cross-origin content. COEP guarantees that cross-origin resources can only be embedded if they explicitly grant permission. CORP restricts which origins can access certain resources, preventing untrusted external sites from accessing sensitive content.
Configuring these in Gitlab’s Nginx was a bit tricky. Nginx requires that every setting ends with a semicolon and a newline. Additionally, for better readability in the gitlab.rb file, I added line breaks while ensuring there were no spaces after the backslashes at the end of each line. Here’s the final configuration:
Here’s the final result that you can copy-paste into your gitlab.rb configuration file:
nginx['custom_gitlab_server_config'] = "add_header Cross-Origin-Opener-Policy same-origin;\n\
add_header Cross-Origin-Embedder-Policy require-corp;\n\
add_header Cross-Origin-Resource-Policy same-site;"
The key thing to note is that there should be no trailing spaces after the backslashes in this multi-line string, as even a single space could cause the configuration to fail.
Of course you can then add additional headers or other nginx-settings after the add_header-settings.