wizard: fix headers

nextcloud · Mar 9, 2019 · f5ba0b1 · f5ba0b1
1 parent 1a46667
commit f5ba0b1
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 17 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,7 @@
 
-[v1.9.2](https://github.com/nextcloud/nextcloudpi/commit/8e97067) (2019-03-08) cleanup update.sh
+[v1.9.3](https://github.com/nextcloud/nextcloudpi/commit/94bdbc3) (2019-03-09) wizard: fix headers
+
+[v1.9.2](https://github.com/nextcloud/nextcloudpi/commit/1a46667) (2019-03-08) cleanup update.sh
 
 [v1.9.1  ](https://github.com/nextcloud/nextcloudpi/commit/060f004) (2019-03-03) fix LE cron
 

diff --git a/ncp-web/wizard/index.php b/ncp-web/wizard/index.php
@@ -1,3 +1,29 @@
+<?php 
+/*
+ NextCloudPi Wizard
+
+ Copyleft 2017 by Pantelis Sarantos and Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+ GPL licensed (see end of file) * Use at your own risk!
+
+ More at https://nextcloudpi.com
+
+**/
+
+    ini_set('session.cookie_httponly', 1);
+    if ( isset($_SERVER['HTTPS']) )
+      ini_set('session.cookie_secure', 1);
+
+    session_start();
+
+    // security headers
+    header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
+    header("X-XSS-Protection: 1; mode=block");
+    header("X-Content-Type-Options: nosniff");
+    header("X-Robots-Tag: none");
+    header("X-Permitted-Cross-Domain-Policies: none");
+    header("X-Frame-Options: DENY");
+    header("Cache-Control: max-age=15778463");
+?>
 <!DOCTYPE html>
 <html>
 	<head>
@@ -7,22 +33,6 @@
 		<!-- Bootstrap -->
 		<link href="bootstrap/css/bootstrap.min.css" rel="stylesheet">
 		<link href="CSS/wizard.css" rel="stylesheet">
-        <?php 
-            session_start();
-
-            ini_set('session.cookie_httponly', 1);
-            if ( isset($_SERVER['HTTPS']) )
-              ini_set('session.cookie_secure', 1);
-
-            // security headers
-            header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
-            header("X-XSS-Protection: 1; mode=block");
-            header("X-Content-Type-Options: nosniff");
-            header("X-Robots-Tag: none");
-            header("X-Permitted-Cross-Domain-Policies: none");
-            header("X-Frame-Options: DENY");
-            header("Cache-Control: max-age=15778463");
-        ?>
         <link rel="icon" type="image/png" href="../img/favicon.png" />
 	</head>
 <body>