diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample index 27ddd9dd6..3a9e8ec2e 100644 --- a/admin_manual/installation/nginx-root.conf.sample +++ b/admin_manual/installation/nginx-root.conf.sample @@ -6,10 +6,9 @@ upstream php-handler { # Set the `immutable` cache control options only for assets with a cache busting `v` argument map $arg_v $asset_immutable { "" ""; - default "immutable"; + default ", immutable"; } - server { listen 80; listen [::]:80; @@ -79,13 +78,14 @@ server { # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; - # Add .mjs as a file extension for javascript + # Set .mjs and .wasm MIME types # Either include it in the default mime.types list - # or include you can include that list explicitly and add the file extension + # and include that list explicitly or add the file extension # only for Nextcloud like below: include mime.types; types { text/javascript js mjs; + application/wasm wasm; } # Specify how to handle directories -- specifying `/index.php$request_uri` @@ -167,12 +167,15 @@ server { # Serve static files location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } } location ~ \.woff2?$ { diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample index d98ae0559..97f8707fa 100644 --- a/admin_manual/installation/nginx-subdir.conf.sample +++ b/admin_manual/installation/nginx-subdir.conf.sample @@ -6,7 +6,7 @@ upstream php-handler { # Set the `immutable` cache control options only for assets with a cache busting `v` argument map $arg_v $asset_immutable { "" ""; - default "immutable"; + default ", immutable"; } server { @@ -39,13 +39,14 @@ server { # Prevent nginx HTTP Server Detection server_tokens off; - # Add .mjs as a file extension for javascript + # Set .mjs and .wasm MIME types # Either include it in the default mime.types list - # or include you can include that list explicitly and add the file extension + # and include that list explicitly or add the file extension # only for Nextcloud like below: include mime.types; types { text/javascript js mjs; + application/wasm wasm; } location = /robots.txt { @@ -165,12 +166,15 @@ server { # Serve static files location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { try_files $uri /nextcloud/index.php$request_uri; - add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } } location ~ \.woff2?$ {