From 00c347594316f0ae916ee15ee65846f7e3dc480d Mon Sep 17 00:00:00 2001
From: Rocket-Quack <202538874+Rocket-Quack@users.noreply.github.com>
Date: Tue, 17 Mar 2026 15:54:01 +0100
Subject: [PATCH] build(docker images): add nginx security headers snippet in
 production and custom images

---
 images/custom/Containerfile     | 4 ++++
 images/production/Containerfile | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/images/custom/Containerfile b/images/custom/Containerfile
index eefa4e6c..b72af438 100644
--- a/images/custom/Containerfile
+++ b/images/custom/Containerfile
@@ -63,6 +63,7 @@ RUN useradd -ms /bin/bash frappe \
     # Clean up
     && rm -rf /var/lib/apt/lists/* \
     && rm -fr /etc/nginx/sites-enabled/default \
+    && mkdir -p /etc/nginx/snippets \
     && pip3 install frappe-bench \
     # Fixes for non-root nginx and logs to stdout
     && sed -i '/user www-data/d' /etc/nginx/nginx.conf \
@@ -70,12 +71,15 @@ RUN useradd -ms /bin/bash frappe \
     && touch /run/nginx.pid \
     && chown -R frappe:frappe /etc/nginx/conf.d \
     && chown -R frappe:frappe /etc/nginx/nginx.conf \
+    && chown -R frappe:frappe /etc/nginx/snippets \
     && chown -R frappe:frappe /var/log/nginx \
     && chown -R frappe:frappe /var/lib/nginx \
     && chown -R frappe:frappe /run/nginx.pid \
     && chmod 755 /usr/local/bin/nginx-entrypoint.sh \
     && chmod 644 /templates/nginx/frappe.conf.template
 
+COPY resources/core/nginx/security_headers.conf /etc/nginx/snippets/security_headers.conf
+
 FROM base AS builder
 
 RUN apt-get update \
diff --git a/images/production/Containerfile b/images/production/Containerfile
index 4a8c7f4c..17f1573d 100644
--- a/images/production/Containerfile
+++ b/images/production/Containerfile
@@ -60,6 +60,7 @@ RUN useradd -ms /bin/bash frappe \
     # Clean up
     && rm -rf /var/lib/apt/lists/* \
     && rm -fr /etc/nginx/sites-enabled/default \
+    && mkdir -p /etc/nginx/snippets \
     && pip3 install frappe-bench \
     # Fixes for non-root nginx and logs to stdout
     && sed -i '/user www-data/d' /etc/nginx/nginx.conf \
@@ -67,12 +68,14 @@ RUN useradd -ms /bin/bash frappe \
     && touch /run/nginx.pid \
     && chown -R frappe:frappe /etc/nginx/conf.d \
     && chown -R frappe:frappe /etc/nginx/nginx.conf \
+    && chown -R frappe:frappe /etc/nginx/snippets \
     && chown -R frappe:frappe /var/log/nginx \
     && chown -R frappe:frappe /var/lib/nginx \
     && chown -R frappe:frappe /run/nginx.pid
 
 COPY resources/core/nginx/nginx-template.conf /templates/nginx/frappe.conf.template
 COPY resources/core/nginx/nginx-entrypoint.sh /usr/local/bin/nginx-entrypoint.sh
+COPY resources/core/nginx/security_headers.conf /etc/nginx/snippets/security_headers.conf
 
 FROM base AS build