From b13d143b3431a11ee714626a46fa26869d6253e2 Mon Sep 17 00:00:00 2001 From: bladeswords Date: Thu, 26 Sep 2019 19:43:29 +1000 Subject: [PATCH] Update to address issue #1178 (HTTP headers) This change should remove the duplicate `x-xss-protection` header and also the `x-powered-by` header. Hopefully a pull request to main is appropriate, but may be worth back porting to 1.7. Tested config by modifying live 1.7 nginx config and reloading. Has had the desired outcome of removing the headers. ```/etc/nginx # nginx -t -c /etc/nginx/nginx.conf nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful /etc/nginx # nginx -s reload ``` These steps were based on: - https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location - https://serverfault.com/questions/929571/overwrite-http-headers-comming-back-from-a-web-application-server-proxied-in-ngi - http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header --- core/nginx/conf/nginx.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index fcd4bfd7..dca4fc00 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -70,6 +70,10 @@ http { {% endif %} {% endif %} + # Remove headers to prevent duplication and information disclosure + proxy_hide_header X-XSS-Protection; + proxy_hide_header X-Powered-By; + add_header X-Frame-Options 'SAMEORIGIN'; add_header X-Content-Type-Options 'nosniff'; add_header X-Permitted-Cross-Domain-Policies 'none';