re-apply #1714 add Content-Security-Policy header

minecrawler · minecrawler · commit 05c301022faf · 2022-09-29T13:04:43.000+02:00
diff --git a/admin_manual/installation/nginx-root.conf.sample b/admin_manual/installation/nginx-root.conf.sample
@@ -69,13 +69,13 @@ server {
     client_body_buffer_size 512k;
 
     # HTTP response headers borrowed from Nextcloud `.htaccess`
-    add_header Referrer-Policy                      "no-referrer"   always;
-    add_header X-Content-Type-Options               "nosniff"       always;
-    add_header X-Download-Options                   "noopen"        always;
-    add_header X-Frame-Options                      "SAMEORIGIN"    always;
-    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-    add_header X-Robots-Tag                         "none"          always;
-    add_header X-XSS-Protection                     "0"             always;
+    add_header Referrer-Policy                      "no-referrer"             always;
+    add_header X-Content-Type-Options               "nosniff"                 always;
+    add_header X-Download-Options                   "noopen"                  always;
+    add_header Content-Security-Policy              "default-src 'self'"      always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"                    always;
+    add_header X-Robots-Tag                         "none"                    always;
+    add_header X-XSS-Protection                     "0"                       always;
 
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
diff --git a/admin_manual/installation/nginx-subdir.conf.sample b/admin_manual/installation/nginx-subdir.conf.sample
@@ -92,13 +92,13 @@ server {
         client_body_buffer_size 512k;
 
         # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Referrer-Policy                      "no-referrer"   always;
-        add_header X-Content-Type-Options               "nosniff"       always;
-        add_header X-Download-Options                   "noopen"        always;
-        add_header X-Frame-Options                      "SAMEORIGIN"    always;
-        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-        add_header X-Robots-Tag                         "none"          always;
-        add_header X-XSS-Protection                     "1; mode=block" always;
+        add_header Referrer-Policy                      "no-referrer"             always;
+        add_header X-Content-Type-Options               "nosniff"                 always;
+        add_header X-Download-Options                   "noopen"                  always;
+        add_header Content-Security-Policy              "default-src 'self'"      always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"                    always;
+        add_header X-Robots-Tag                         "none"                    always;
+        add_header X-XSS-Protection                     "0"                       always;
 
         # Remove X-Powered-By, which is an information leak
         fastcgi_hide_header X-Powered-By;
