🐛 Nginx container fixes: CSP, MIME types, homepage-link, favicon

robbertbos · robbertbos · commit ae6d427b22b2 · 2026-03-03T23:04:52.000+01:00
- CSP: script-src en style-src 'self' 'unsafe-inline' toegevoegd zodat inline scripts en styles niet geblokkeerd worden
- CSS/JS location blok verwijderd (vermeed header-inheritance bug en onnodige 1y cache voor PoC)
- Font MIME type font/ttf toegevoegd voor .ttf bestanden
- Homepage-link van /poc-moza/ naar /moza/ gecorrigeerd
- ZAD component hernoemd van 'frontend' naar 'proef'
- Favicon alias zodat /favicon.ico naar /assets/favicon/favicon.ico verwijst
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
@@ -77,7 +77,7 @@ jobs:
           api-key: ${{ secrets.ZAD_API_KEY }}
           project-id: pm-5sj
           deployment-name: pr${{ github.event.pull_request.number }}
-          component: frontend
+          component: proef
           image: ${{ needs.build.outputs.image }}
           comment-on-pr: true
           qr-code: true
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -68,6 +68,6 @@ jobs:
           api-key: ${{ secrets.ZAD_API_KEY }}
           project-id: pm-5sj
           deployment-name: poc
-          component: frontend
+          component: proef
           image: ${{ needs.build.outputs.image }}
           wait-for-ready: true
diff --git a/_includes/header-overheid.njk b/_includes/header-overheid.njk
@@ -1,6 +1,6 @@
 <header>
 	<figure class="logo">
-		<a href="/poc-moza/">
+		<a href="/moza/">
 			<img src="{{ '/assets/images/beeldmerk-rijksoverheid.svg' | url }}" alt="Naar de homepage van MijnOverheid Zakelijk">
 		</a>
 	</figure>
diff --git a/container/default.conf b/container/default.conf
@@ -12,16 +12,15 @@ server {
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
-    add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'none';" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'none';" always;
     add_header Strict-Transport-Security "max-age=31536000" always;
 
-    location /.well-known/security.txt {
-        return 302 https://www.ncsc.nl/.well-known/security.txt;
+    location = /favicon.ico {
+        alias /usr/share/nginx/html/assets/favicon/favicon.ico;
     }
 
-    location ~* \.(css|js)$ {
-        expires 1y;
-        add_header Cache-Control "public, immutable";
+    location /.well-known/security.txt {
+        return 302 https://www.ncsc.nl/.well-known/security.txt;
     }
 
     location / {
diff --git a/container/nginx.conf b/container/nginx.conf
@@ -15,6 +15,9 @@ http {
     scgi_temp_path /tmp/scgi_temp;
 
     include /etc/nginx/mime.types;
+    types {
+        font/ttf ttf;
+    }
     default_type application/octet-stream;
 
     access_log off;
