# Reverse proxy configuration

A CSP should be defined to block all scripts as the app doesn't need any client
side scripting. Content-Type-Options prevent misidentifying files as
stylesheets or scripts.

```
Content-Security-Policy: default-src 'self'; scrip-src 'none'; object-src 'none'
X-Content-Type-Options: nosniff
```

The reverse proxy must also enforce https, which can be done by redirecting all
http requests to https and setting the Strict-Transport-Security header.

# DOS-attack mitigation

The app doesn't do anything against DOS-attacks. You should as a bare minimum
rate limit the app's endpoint.

```
$ iptables -A INPUT -p tcp -m tcp --syn -m hashlimit \
  --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstport \
  --hashlimit-name conn-srcip-dport-rate-limit -j ACCEPT
```

This, for example, would rate limit tcp connections.