summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorblizzz <blizzz@arthur-schiwon.de>2020-04-24 17:15:12 +0200
committerGitHub <noreply@github.com>2020-04-24 17:15:12 +0200
commit797fa188c224132d522710ecda4aa4feb85c3739 (patch)
tree44c98e6a25938b44b0f3225fc0dfc979998c5aa4
parent652639b63619a577087254803c16ae90b7e3bd7c (diff)
parentaf5380f5a87cca9240fbaacc1e28ae20b607cdea (diff)
downloadnextcloud-server-797fa188c224132d522710ecda4aa4feb85c3739.tar.gz
nextcloud-server-797fa188c224132d522710ecda4aa4feb85c3739.zip
Merge pull request #19002 from zertrin/patch-1
Fix security header setting in .htaccess by adding 'onsuccess unset'
Diffstat
-rw-r--r--.htaccess17
1 files changed, 17 insertions, 0 deletions
diff --git a/.htaccess b/.htaccess
index 8b91422755c..87280cc9e01 100644
--- a/.htaccess
+++ b/.htaccess
@@ -11,13 +11,30 @@
<IfModule mod_env.c>
# Add security and privacy related headers
+
+ # Avoid doubled headers by unsetting headers in "onsuccess" table,
+ # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
+ Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "no-referrer"
+
+ Header onsuccess unset X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
+
+ Header onsuccess unset X-Download-Options
Header always set X-Download-Options "noopen"
+
+ Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
+
+ Header onsuccess unset X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"
+
+ Header onsuccess unset X-Robots-Tag
Header always set X-Robots-Tag "none"
+
+ Header onsuccess unset X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
+
SetEnv modHeadersAvailable true
</IfModule>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 16:31:35 +0000