mirror of https://github.com/zulip/zulip.git
nginx: Don’t override HSTS, X-Frame-Options with other ‘add_header’s.
The nginx ‘add_header’ directive doesn’t inherit the way you’d want (https://trac.nginx.org/nginx/ticket/854), so we need to manually simulate inheritance using ‘include’, like we previously did with api_headers. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
parent
ba16b37f8d
commit
06e7d4ec19
|
@ -1,3 +1,4 @@
|
||||||
|
include /etc/nginx/zulip-include/headers;
|
||||||
add_header Access-Control-Allow-Origin * always;
|
add_header Access-Control-Allow-Origin * always;
|
||||||
add_header Access-Control-Allow-Headers Authorization always;
|
add_header Access-Control-Allow-Headers Authorization always;
|
||||||
add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD' always;
|
add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD' always;
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
# Enable HSTS: tell browsers to always use HTTPS
|
||||||
|
add_header Strict-Transport-Security max-age=15768000 always;
|
||||||
|
|
||||||
|
# Set X-Frame-Options to deny to prevent clickjacking
|
||||||
|
add_header X-Frame-Options DENY always;
|
|
@ -1,11 +1,7 @@
|
||||||
access_log /var/log/nginx/access.log;
|
access_log /var/log/nginx/access.log;
|
||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
|
|
||||||
# Enable HSTS: tell browsers to always use HTTPS
|
include /etc/nginx/zulip-include/headers;
|
||||||
add_header Strict-Transport-Security max-age=15768000 always;
|
|
||||||
|
|
||||||
# Set X-Frame-Options to deny to prevent clickjacking
|
|
||||||
add_header X-Frame-Options DENY always;
|
|
||||||
|
|
||||||
# Serve a custom error page when the app is down
|
# Serve a custom error page when the app is down
|
||||||
error_page 502 503 504 /static/webpack-bundles/5xx.html;
|
error_page 502 503 504 /static/webpack-bundles/5xx.html;
|
||||||
|
|
|
@ -24,6 +24,7 @@ server {
|
||||||
|
|
||||||
<% if @no_serve_uploads == '' -%>
|
<% if @no_serve_uploads == '' -%>
|
||||||
location /user_avatars {
|
location /user_avatars {
|
||||||
|
include /etc/nginx/zulip-include/headers;
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header Content-Security-Policy "default-src 'none' img-src 'self'";
|
add_header Content-Security-Policy "default-src 'none' img-src 'self'";
|
||||||
include /etc/nginx/zulip-include/uploads.types;
|
include /etc/nginx/zulip-include/uploads.types;
|
||||||
|
|
Loading…
Reference in New Issue