Commit 70ccc449 authored by omega8cc's avatar omega8cc Committed by memtkmcc

Nginx: Do not hardcode X-Frame-Options header — see #1056

This should be set in /data/conf/global.inc with optional OFF switch in the platform and site level INI files.
parent 5833a305
......@@ -113,7 +113,6 @@ if ($is_denied) {
### Add recommended HTTP headers
###
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
<?php endif; ?>
......@@ -186,7 +185,6 @@ location ^~ /cdn/farfuture/ {
add_header Cache-Control "no-transform, public";
add_header Last-Modified "Wed, 20 Jan 1988 04:20:42 GMT";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
......@@ -197,7 +195,6 @@ location ^~ /cdn/farfuture/ {
add_header X-Header "CDN Far Future Generator 1.1";
add_header Cache-Control "private, must-revalidate, proxy-revalidate";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
rewrite ^/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
......@@ -677,7 +674,6 @@ location ~* files/advagg_(?:css|js)/ {
add_header X-Header "AdvAgg Generator 2.0";
add_header Cache-Control "max-age=31449600, no-transform, public";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
set $nocache_details "Skip";
......@@ -978,7 +974,6 @@ location ~* \.xml$ {
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
charset utf-8;
......@@ -1058,7 +1053,6 @@ location ~ ^/(?<esi>esi/.*)"$ {
add_header X-Server-Name "$main_site_name";
add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
###
......@@ -1162,7 +1156,6 @@ location @cache {
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
charset utf-8;
......@@ -1219,7 +1212,6 @@ location = /index.php {
add_header X-This-Proto "$http_x_forwarded_proto";
add_header X-Server-Name "$main_site_name";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
<?php endif; ?>
......
......@@ -309,7 +309,6 @@ server {
expires 99s;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
root /var/www/nginx-default;
......
......@@ -97,7 +97,6 @@ if ($subdir_main_site_name = '') {
### Add recommended HTTP headers
###
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
......@@ -233,7 +232,6 @@ location ^~ /<?php print $subdir; ?> {
add_header Cache-Control "no-transform, public";
add_header Last-Modified "Wed, 20 Jan 1988 04:20:42 GMT";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
rewrite ^/<?php print $subdir; ?>/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
......@@ -244,7 +242,6 @@ location ^~ /<?php print $subdir; ?> {
add_header X-Header "CDN Far Future Generator 1.1";
add_header Cache-Control "private, must-revalidate, proxy-revalidate";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
rewrite ^/<?php print $subdir; ?>/cdn/farfuture/[^/]+/[^/]+/(.+)$ /$1 break;
......@@ -650,7 +647,6 @@ location ^~ /<?php print $subdir; ?> {
add_header X-Header "AdvAgg Generator 2.0";
add_header Cache-Control "max-age=31449600, no-transform, public";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
set $nocache_details "Skip";
......@@ -839,7 +835,6 @@ location ^~ /<?php print $subdir; ?> {
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
charset utf-8;
......@@ -1019,7 +1014,6 @@ location ^~ /<?php print $subdir; ?> {
add_header X-Server-Sub-Name "$subdir_main_site_name";
add_header X-Response-Status "$status";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
<?php endif; ?>
......@@ -1132,7 +1126,6 @@ location @cache_<?php print $subdir_loc; ?> {
add_header Expires "Tue, 24 Jan 1984 08:00:00 GMT";
add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block" always;
charset utf-8;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment