From 22b9565eb72161e1a66db5980aad8ad56d220a3c Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 6 Apr 2020 16:56:53 +0200
Subject: [PATCH] Forgot to check that these headers are different from the
 default in security.conf ... maybe we want to keep them as is? Not clear why
 they have different values tan the domain configs...

---
 data/templates/nginx/yunohost_admin.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/data/templates/nginx/yunohost_admin.conf b/data/templates/nginx/yunohost_admin.conf
index 63d466ecd..3df838c4a 100644
--- a/data/templates/nginx/yunohost_admin.conf
+++ b/data/templates/nginx/yunohost_admin.conf
@@ -20,6 +20,10 @@ server {
     ssl_certificate /etc/yunohost/certs/yunohost.org/crt.pem;
     ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem;
 
+    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
+    more_set_headers "Referrer-Policy : 'same-origin'";
+    more_set_headers "Content-Security-Policy : upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
+
     location / {
         return 302 https://$http_host/yunohost/admin;
     }