Update Nginx subdir headers to match webroot config

+ Ref: #1520 + The master merge to resolve conflicts has reverted the headers changes for the subdir config. This commit redoes the intended changes, to match Nginx webroot config and .htaccess. Signed-off-by: Micha Felle <micha@dietpi.com>
nextcloud · Aug 24, 2019 · 3fc4f5d · 3fc4f5d
1 parent 1c1184d
commit 3fc4f5d
Showing 1 changed file with 14 additions and 12 deletions.
diff --git a/admin_manual/installation/nginx.rst b/admin_manual/installation/nginx.rst
@@ -226,12 +226,13 @@ your nginx installation.
       # will add the domain to a hardcoded list that is shipped
       # in all major browsers and getting removed from this list
       # could take several months.
-      add_header X-Content-Type-Options nosniff;
-      add_header X-XSS-Protection "1; mode=block";
-      add_header X-Robots-Tag none;
-      add_header X-Download-Options noopen;
-      add_header X-Permitted-Cross-Domain-Policies none;
-      add_header Referrer-Policy no-referrer;
+      add_header Referrer-Policy "no-referrer" always;
+      add_header X-Content-Type-Options "nosniff" always;
+      add_header X-Download-Options "noopen" always;
+      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header X-Permitted-Cross-Domain-Policies "none" always;
+      add_header X-Robots-Tag "none" always;
+      add_header X-XSS-Protection "1; mode=block" always;
 
       # Remove X-Powered-By, which is an information leak
       fastcgi_hide_header X-Powered-By;
@@ -328,12 +329,13 @@ your nginx installation.
               # will add the domain to a hardcoded list that is shipped
               # in all major browsers and getting removed from this list
               # could take several months.
-              add_header X-Content-Type-Options nosniff;
-              add_header X-XSS-Protection "1; mode=block";
-              add_header X-Robots-Tag none;
-              add_header X-Download-Options noopen;
-              add_header X-Permitted-Cross-Domain-Policies none;
-              add_header Referrer-Policy no-referrer;
+              add_header Referrer-Policy "no-referrer" always;
+              add_header X-Content-Type-Options "nosniff" always;
+              add_header X-Download-Options "noopen" always;
+              add_header X-Frame-Options "SAMEORIGIN" always;
+              add_header X-Permitted-Cross-Domain-Policies "none" always;
+              add_header X-Robots-Tag "none" always;
+              add_header X-XSS-Protection "1; mode=block" always;
 
               # Optional: Don't log access to assets
               access_log off;