From 9176934914ad90d6788b603989fa1d487edb823c Mon Sep 17 00:00:00 2001
From: Shane Jaroch <chown_tee@proton.me>
Date: Wed, 21 Jan 2026 15:58:50 -0500
Subject: [PATCH] attach stats report on each request; nginx safety headers

---
 etc/nginx/conf.d/default.dev.conf           | 12 ++++++++++--
 etc/nginx/conf.d/default.prod.conf          | 13 +++++++++++--
 scripts/gen_services_map.py                 | 16 +++++++++++++++-
 scripts/gitweb-simplefrontend/services.html | 18 ++++++++++++++++--
 scripts/homepage.html                       | 18 ++++++++++++++++--
 5 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/etc/nginx/conf.d/default.dev.conf b/etc/nginx/conf.d/default.dev.conf
index d3bd2e9..306a747 100644
--- a/etc/nginx/conf.d/default.dev.conf
+++ b/etc/nginx/conf.d/default.dev.conf
@@ -91,8 +91,6 @@ server {
   # Advertise HTTP/3 availability
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
 
-  client_max_body_size 50m;
-
   # HSTS
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
   ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
@@ -100,6 +98,16 @@ server {
   #ssl_stapling on;
   #ssl_stapling_verify on;
 
+  # Other headers
+  add_header X-Frame-Options "SAMEORIGIN" always; # Prevent clickjacking & iframe embedding
+  add_header X-XSS-Protection "1; mode=block" always; # Legacy protection
+  add_header X-Content-Type-Options "nosniff" always; # Prevent MIME-type sniffing
+  # CSP policy (prevents XSS attacks)
+  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always;
+
+  client_max_body_size 50m;
+  add_header X-Request-Time $request_time always;
+
   # Services Map (Homepage)
   root /var/www;
   index homepage.html;
diff --git a/etc/nginx/conf.d/default.prod.conf b/etc/nginx/conf.d/default.prod.conf
index 0af80c0..64bd94d 100644
--- a/etc/nginx/conf.d/default.prod.conf
+++ b/etc/nginx/conf.d/default.prod.conf
@@ -100,15 +100,24 @@ server {
   # Advertise HTTP/3 availability
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
 
-  client_max_body_size 50m;
-
   # HSTS
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  add_header X-Request-Time $request_time always;
   ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   # OCSP stapling (NOTE: Responders disabled by letsencrypt as of Q3 2025)
   #ssl_stapling on;
   #ssl_stapling_verify on;
 
+  # Other headers
+  add_header X-Frame-Options "SAMEORIGIN" always; # Prevent clickjacking & iframe embedding
+  add_header X-XSS-Protection "1; mode=block" always; # Legacy protection
+  add_header X-Content-Type-Options "nosniff" always; # Prevent MIME-type sniffing
+  # CSP policy (prevents XSS attacks)
+  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always;
+
+  client_max_body_size 50m;
+  add_header X-Request-Time $request_time always;
+
   # Services Map (Homepage)
   root /var/www;
   index homepage.html;
diff --git a/scripts/gen_services_map.py b/scripts/gen_services_map.py
index c8bcf3c..70265a6 100755
--- a/scripts/gen_services_map.py
+++ b/scripts/gen_services_map.py
@@ -38,8 +38,22 @@ HTML_TEMPLATE = """<!DOCTYPE html>
         <p>Built: {build_time} | Services: {service_count}</p>
         <p>Nginx: <span class="ssi">v<!--#echo var="nginx_version"--></span> |
            Served: <span class="ssi"><!--#echo var="date_local"--></span> |
-           Request: <span class="ssi"><!--#echo var="request_uri"--></span></p>
+           Request: <span class="ssi"><!--#echo var="request_uri"--></span> |
+           Latency: <span id="latency" class="ssi">...</span></p>
     </footer>
+    <script>
+    (function() {{
+        // IE11-compatible: use performance.timing (deprecated but widely supported)
+        var timing = window.performance && window.performance.timing;
+        if (timing) {{
+            window.onload = function() {{
+                var latency = timing.responseEnd - timing.requestStart;
+                var el = document.getElementById('latency');
+                if (el) el.textContent = latency + 'ms';
+            }};
+        }}
+    }})();
+    </script>
 </body>
 </html>"""
 
diff --git a/scripts/gitweb-simplefrontend/services.html b/scripts/gitweb-simplefrontend/services.html
index 6616b18..a5a1e58 100644
--- a/scripts/gitweb-simplefrontend/services.html
+++ b/scripts/gitweb-simplefrontend/services.html
@@ -36,10 +36,24 @@
         </div>
 
     <footer>
-        <p>Built: 2026-01-21 15:51:38  | Services: 3</p>
+        <p>Built: 2026-01-21 15:53:23  | Services: 3</p>
         <p>Nginx: <span class="ssi">v<!--#echo var="nginx_version"--></span> |
            Served: <span class="ssi"><!--#echo var="date_local"--></span> |
-           Request: <span class="ssi"><!--#echo var="request_uri"--></span></p>
+           Request: <span class="ssi"><!--#echo var="request_uri"--></span> |
+           Latency: <span id="latency" class="ssi">...</span></p>
     </footer>
+    <script>
+    (function() {
+        // IE11-compatible: use performance.timing (deprecated but widely supported)
+        var timing = window.performance && window.performance.timing;
+        if (timing) {
+            window.onload = function() {
+                var latency = timing.responseEnd - timing.requestStart;
+                var el = document.getElementById('latency');
+                if (el) el.textContent = latency + 'ms';
+            };
+        }
+    })();
+    </script>
 </body>
 </html>
\ No newline at end of file
diff --git a/scripts/homepage.html b/scripts/homepage.html
index f05c10a..b7a1922 100644
--- a/scripts/homepage.html
+++ b/scripts/homepage.html
@@ -51,10 +51,24 @@
         </div>
 
     <footer>
-        <p>Built: 2026-01-21 15:51:38  | Services: 6</p>
+        <p>Built: 2026-01-21 15:53:23  | Services: 6</p>
         <p>Nginx: <span class="ssi">v<!--#echo var="nginx_version"--></span> |
            Served: <span class="ssi"><!--#echo var="date_local"--></span> |
-           Request: <span class="ssi"><!--#echo var="request_uri"--></span></p>
+           Request: <span class="ssi"><!--#echo var="request_uri"--></span> |
+           Latency: <span id="latency" class="ssi">...</span></p>
     </footer>
+    <script>
+    (function() {
+        // IE11-compatible: use performance.timing (deprecated but widely supported)
+        var timing = window.performance && window.performance.timing;
+        if (timing) {
+            window.onload = function() {
+                var latency = timing.responseEnd - timing.requestStart;
+                var el = document.getElementById('latency');
+                if (el) el.textContent = latency + 'ms';
+            };
+        }
+    })();
+    </script>
 </body>
 </html>
\ No newline at end of file
-- 
2.52.0