Skip to content

Commit

Permalink
Merge pull request #20647 from nextcloud/backport/19002/stable18
Browse files Browse the repository at this point in the history 
[stable18] Fix security header setting in .htaccess by adding 'onsuccess unset'
  • Loading branch information
@MorrisJobke
MorrisJobke authored Apr 29, 2020
2 parents b569f3c + 814f19a commit 277a97c
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions .htaccess
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,30 @@

<IfModule mod_env.c>
# Add security and privacy related headers

# Avoid doubled headers by unsetting headers in "onsuccess" table,
# then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "no-referrer"

Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

Header onsuccess unset X-Download-Options
Header always set X-Download-Options "noopen"

Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

Header onsuccess unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"

Header onsuccess unset X-Robots-Tag
Header always set X-Robots-Tag "none"

Header onsuccess unset X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"

SetEnv modHeadersAvailable true
</IfModule>

Expand Down

0 comments on commit 277a97c

Please sign in to comment.