[IMP] admin: missing header with X-Accel-Redirect

Julien00859 · Julien00859 · commit 4624403d7680 · 2025-12-08T11:44:03.000Z
Nginx doesn't set the Content-Security-Policy and X-Content-Type-Options headers on the response it sends to the browser even though they were present on the response from the Odoo server. closes #15571 Signed-off-by: Julien Castiaux (juc) <juc@odoo.com>
diff --git a/content/administration/on_premise/deploy.rst b/content/administration/on_premise/deploy.rst
@@ -533,6 +533,8 @@ X-Sendfile and X-Accel).
          location /web/filestore {
              internal;
              alias /path/to/odoo/data-dir/filestore;
+             add_header Content-Security-Policy $upstream_http_content_security_policy;
+             add_header X-Content-Type-Options nosniff;
          }
 
      In case you don't know what is the path to your filestore, start Odoo with the

Original file line number	Diff line number	Diff line change
`@@ -533,6 +533,8 @@ X-Sendfile and X-Accel).`
`533`	`533`	`location /web/filestore {`
`534`	`534`	`internal;`
`535`	`535`	`alias /path/to/odoo/data-dir/filestore;`
	`536`	`+ add_header Content-Security-Policy $upstream_http_content_security_policy;`
	`537`	`+ add_header X-Content-Type-Options nosniff;`
`536`	`538`	`}`
`537`	`539`
`538`	`540`	`In case you don't know what is the path to your filestore, start Odoo with the`