From 95835118bd8e0c308dec2c3659719760cd17570f Mon Sep 17 00:00:00 2001
From: frju365 <win10@tutanota.com>
Date: Fri, 29 Dec 2017 17:59:12 +0100
Subject: [PATCH] [Fix] CSP Standart.

---
 data/templates/nginx/server.tpl.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index dee667939..6f49d68c3 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -43,9 +43,11 @@ server {
     #ssl_dhparam /etc/ssl/private/dh2048.pem;
 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
-    add_header 'Referrer-Policy' 'no-referrer';
+    add_header 'Referrer-Policy' 'origin-when-cross-origin';
+    add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';report-uri /csp-violation-report-endpoint/";
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
+    add_header X-Download-Options noopen;
     add_header X-Permitted-Cross-Domain-Policies none;
     add_header X-Frame-Options "SAMEORIGIN";