From 698b25e5b55bdc154dd6cc5a9c6320570b2bfdf6 Mon Sep 17 00:00:00 2001 From: Florian Diwald Date: Sun, 18 Apr 2021 14:47:46 +0200 Subject: [PATCH] fix HSTS header in nginx subdir configuration Signed-off-by: Florian Diwald --- .../installation/nginx-subdir.conf.sample | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample index ad1df1d30..b10d06604 100644 --- a/admin_manual/installation/nginx-subdir.conf.sample +++ b/admin_manual/installation/nginx-subdir.conf.sample @@ -24,14 +24,6 @@ server { ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; - # HSTS settings - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # Path to the root of the domain root /var/www; @@ -73,6 +65,14 @@ server { # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always;