Forgot to check that these headers are different from the default in security.conf ... maybe we want to keep them as is? Not clear why they have different values tan the domain configs...

2024-09-03 20:06:10 +02:00 · 2020-04-06 16:56:53 +02:00 · 2020-04-06 16:56:53 +02:00 · 22b9565eb7
commit 22b9565eb7
parent 4d99cbe870
1 changed files with 4 additions and 0 deletions
--- a/data/templates/nginx/yunohost_admin.conf
+++ b/data/templates/nginx/yunohost_admin.conf
@ -20,6 +20,10 @@ server {
    ssl_certificate /etc/yunohost/certs/yunohost.org/crt.pem;
    ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem;

+    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
+    more_set_headers "Referrer-Policy : 'same-origin'";
+    more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
+
    location / {
        return 302 https://$http_host/yunohost/admin;
    }