From 1e7013b947790bbacc9bf54c94c3abc575817708 Mon Sep 17 00:00:00 2001
From: MiguelNdeCarvalho <geral@miguelndecarvalho.pt>
Date: Mon, 7 Oct 2019 13:33:04 +0100
Subject: [PATCH] Nginx: Fix Strict-Transport and X-Frame-Options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Errors:
          The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
          The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
---
 root/defaults/default | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/root/defaults/default b/root/defaults/default
index ac8d3678..8095aef8 100644
--- a/root/defaults/default
+++ b/root/defaults/default
@@ -19,6 +19,8 @@ server {
     add_header X-Download-Options noopen;
     add_header X-Permitted-Cross-Domain-Policies none;
     add_header Referrer-Policy no-referrer;
+    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+    add_header X-Frame-Options "SAMEORIGIN";
     fastcgi_hide_header X-Powered-By;
     root /config/www/nextcloud/;
     location = /robots.txt {