dep updates/header changes/tls changes

Signed-off-by: Zoey <zoey@z0ey.de>

- dep updates
- upodate nginx/certbot
- improve headers
- change NPM to NPMplus in launch.sh
- when using https backend, only TLSv1 to TLSv1.3 is now allowed, whith secure ciphers

backend/package.json

@@ -16,7 +16,7 @@
     "gravatar": "1.8.2",
     "jsonwebtoken": "9.0.2",
     "knex": "3.0.1",
-    "liquidjs": "10.9.2",
+    "liquidjs": "10.9.3",
     "lodash": "4.17.21",
     "moment": "2.29.4",
     "mysql": "2.18.1",
@@ -29,7 +29,7 @@
   "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
   "license": "MIT",
   "devDependencies": {
-    "eslint": "8.51.0",
+    "eslint": "8.52.0",
     "eslint-plugin-align-assignments": "1.1.2"
   }
 }

backend/templates/_hsts.conf

@@ -1,7 +1,19 @@
 {% if certificate and certificate_id > 0 -%}
 {% if ssl_forced == 1 or ssl_forced == true %}
 {% if hsts_enabled == 1 or hsts_enabled == true %}
+  more_clear_headers "Expect-CT";
   include conf.d/include/hsts.conf;
 {% endif %}
 {% endif %}
 {% endif %}
+
+{% unless certificate and certificate_id > 0 -%}
+{% unless ssl_forced == 1 or ssl_forced == true %}
+{% unless hsts_enabled == 1 or hsts_enabled == true %}
+  more_clear_headers "Content-Security-Policy";
+  
+  more_clear_headers "Expect-CT";
+  more_clear_headers "Strict-Transport-Security";
+{% endunless  %}
+{% endunless  %}
+{% endunless  %}

backend/templates/_listen.conf

@@ -10,7 +10,10 @@
   listen 443 quic;
   listen [::]:443 quic;
 
-  add_header Alt-Svc 'h3=":443"; ma=86400';
+  more_set_headers "Alt-Svc: h3=':443'; ma=86400";
 {% endif %}
 {% endif %}
+{% unless hsts_subdomains %}
+  more_clear_headers "Alt-Svc";
+{% endunless %}
   server_name {{ domain_names | join: " " }};