From 44705a32b7368a4accdaf4a2ed6c707c69ccd430 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 13 Mar 2016 18:40:02 +0100 Subject: [PATCH] Never allow admin panel to be inside a frame, use both modern and old headers. Also set no content sniffing --- conf/nginx-primaryonly.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 9f040c0..8fd546a 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -6,7 +6,9 @@ location /admin/ { proxy_pass http://127.0.0.1:10222/; proxy_set_header X-Forwarded-For $remote_addr; - add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "frame-ancestors 'none';"; } # ownCloud configuration.