diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample index b2ca962b2..f96de8702 100644 --- a/admin_manual/installation/nginx-root.conf.sample +++ b/admin_manual/installation/nginx-root.conf.sample @@ -6,10 +6,9 @@ upstream php-handler { # Set the `immutable` cache control options only for assets with a cache busting `v` argument map $arg_v $asset_immutable { "" ""; - default "immutable"; + default ", immutable"; } - server { listen 80; listen [::]:80; @@ -80,13 +79,14 @@ server { # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; - # Add .mjs as a file extension for javascript + # Set .mjs and .wasm MIME types # Either include it in the default mime.types list - # or include you can include that list explicitly and add the file extension + # and include that list explicitly or add the file extension # only for Nextcloud like below: include mime.types; types { text/javascript js mjs; + application/wasm wasm; } # Specify how to handle directories -- specifying `/index.php$request_uri` @@ -168,12 +168,15 @@ server { # Serve static files location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ { try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } } location ~ \.woff2?$ { diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample index 90348e0f9..93da36992 100644 --- a/admin_manual/installation/nginx-subdir.conf.sample +++ b/admin_manual/installation/nginx-subdir.conf.sample @@ -6,7 +6,7 @@ upstream php-handler { # Set the `immutable` cache control options only for assets with a cache busting `v` argument map $arg_v $asset_immutable { "" ""; - default "immutable"; + default ", immutable"; } server { @@ -47,13 +47,14 @@ server { # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; - # Add .mjs as a file extension for javascript + # Set .mjs and .wasm MIME types # Either include it in the default mime.types list - # or include you can include that list explicitly and add the file extension + # and include that list explicitly or add the file extension # only for Nextcloud like below: include mime.types; types { text/javascript js mjs; + application/wasm wasm; } location = /robots.txt { @@ -166,12 +167,15 @@ server { # Serve static files location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ { try_files $uri /nextcloud/index.php$request_uri; - add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } } location ~ \.woff2?$ {