Skip to content

Commit

Permalink
fix(nextcloud): move all headers to values file
Browse files Browse the repository at this point in the history
Signed-off-by: WrenIX <[email protected]>
  • Loading branch information
wrenix committed Oct 11, 2024
1 parent 2e6a7c6 commit b0af62e
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 13 deletions.
15 changes: 4 additions & 11 deletions charts/nextcloud/files/nginx.config.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@ server {
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
{{- with .Values.nginx.config.header.hsts }}
add_header Strict-Transport-Security {{ . | quote }} always;
{{- range $name, $value := .Values.nginx.config.headers }}
{{- if $value }}
add_header {{ $name }} {{ $value | quote }} always;
{{- end }}
{{- end }}

# set max upload size
Expand All @@ -40,15 +42,6 @@ server {
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;

# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

Expand Down
11 changes: 9 additions & 2 deletions charts/nextcloud/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -331,15 +331,22 @@ nginx:
config:
# This generates the default nginx config as per the nextcloud documentation
default: true
header:
headers:
# -- HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
# example: hsts: "max-age=15768000; includeSubDomains; preload;"
hsts:
"Strict-Transport-Security": ""
"Referrer-Policy": "no-referrer"
"X-Content-Type-Options": "nosniff"
"X-Download-Options": "noopen"
"X-Frame-Options": "SAMEORIGIN"
"X-Permitted-Cross-Domain-Policies": "none"
"X-Robots-Tag": "noindex, nofollow"
"X-XSS-Protection": "1; mode=block"

custom:
# custom: |-
Expand Down

0 comments on commit b0af62e

Please sign in to comment.