Update Nginx subdir headers to match webroot config

+ Ref: https://github.com/nextcloud/documentation/pull/1520 + The master merge to resolve conflicts has reverted the headers changes for the subdir config. This commit redoes the intended changes, to match Nginx webroot config and .htaccess. Signed-off-by: Micha Felle <micha@dietpi.com>
2025-10-26 11:18:02 +00:00 · 2019-08-24 14:34:41 +02:00 · 2019-08-24 14:34:41 +02:00 · 3fc4f5def4
commit 3fc4f5def4
parent 1c1184d4ac
1 changed files with 14 additions and 12 deletions
--- a/admin_manual/installation/nginx.rst
+++ b/admin_manual/installation/nginx.rst
@ -226,12 +226,13 @@ your nginx installation.
      # will add the domain to a hardcoded list that is shipped
      # in all major browsers and getting removed from this list
      # could take several months.
-      add_header X-Content-Type-Options nosniff;
-      add_header X-XSS-Protection "1; mode=block";
-      add_header X-Robots-Tag none;
-      add_header X-Download-Options noopen;
-      add_header X-Permitted-Cross-Domain-Policies none;
-      add_header Referrer-Policy no-referrer;
+      add_header Referrer-Policy "no-referrer" always;
+      add_header X-Content-Type-Options "nosniff" always;
+      add_header X-Download-Options "noopen" always;
+      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header X-Permitted-Cross-Domain-Policies "none" always;
+      add_header X-Robots-Tag "none" always;
+      add_header X-XSS-Protection "1; mode=block" always;

      # Remove X-Powered-By, which is an information leak
      fastcgi_hide_header X-Powered-By;
@ -328,12 +329,13 @@ your nginx installation.
              # will add the domain to a hardcoded list that is shipped
              # in all major browsers and getting removed from this list
              # could take several months.
-              add_header X-Content-Type-Options nosniff;
-              add_header X-XSS-Protection "1; mode=block";
-              add_header X-Robots-Tag none;
-              add_header X-Download-Options noopen;
-              add_header X-Permitted-Cross-Domain-Policies none;
-              add_header Referrer-Policy no-referrer;
+              add_header Referrer-Policy "no-referrer" always;
+              add_header X-Content-Type-Options "nosniff" always;
+              add_header X-Download-Options "noopen" always;
+              add_header X-Frame-Options "SAMEORIGIN" always;
+              add_header X-Permitted-Cross-Domain-Policies "none" always;
+              add_header X-Robots-Tag "none" always;
+              add_header X-XSS-Protection "1; mode=block" always;

              # Optional: Don't log access to assets
              access_log off;