From b13d143b3431a11ee714626a46fa26869d6253e2 Mon Sep 17 00:00:00 2001
From: bladeswords <bladeswords@users.noreply.github.com>
Date: Thu, 26 Sep 2019 19:43:29 +1000
Subject: [PATCH] Update to address issue #1178 (HTTP headers)

This change should remove the duplicate `x-xss-protection` header and also the `x-powered-by` header.  Hopefully a pull request to main is appropriate, but may be worth back porting to 1.7.

Tested config by modifying live 1.7 nginx config and reloading.  Has had the desired outcome of removing the headers.

```/etc/nginx # nginx -t -c /etc/nginx/nginx.conf
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/nginx # nginx -s reload
```

These steps were based on:
- https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location
- https://serverfault.com/questions/929571/overwrite-http-headers-comming-back-from-a-web-application-server-proxied-in-ngi
- http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
---
 core/nginx/conf/nginx.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index fcd4bfd7..dca4fc00 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -70,6 +70,10 @@ http {
       {% endif %}
       {% endif %}
 
+      # Remove headers to prevent duplication and information disclosure
+      proxy_hide_header X-XSS-Protection;
+      proxy_hide_header X-Powered-By;
+      
       add_header X-Frame-Options 'SAMEORIGIN';
       add_header X-Content-Type-Options 'nosniff';
       add_header X-Permitted-Cross-Domain-Policies 'none';