From 9c0b3b4e884472b6d2a0ffc7a6d8e9723aa87152 Mon Sep 17 00:00:00 2001
From: Paul-Henri Froidmont <git.contact-57n2p@froidmont.org>
Date: Sun, 26 Jul 2020 01:20:10 +0200
Subject: [PATCH] Add SAMEORIGIN header to Nextcloud

---
 .../files/nextcloud/web/nginx.conf                | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/roles/nextcloud-docker/files/nextcloud/web/nginx.conf b/roles/nextcloud-docker/files/nextcloud/web/nginx.conf
index 38eef81..1f5ce64 100644
--- a/roles/nextcloud-docker/files/nextcloud/web/nginx.conf
+++ b/roles/nextcloud-docker/files/nextcloud/web/nginx.conf
@@ -45,12 +45,17 @@ http {
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+	fastcgi_hide_header X-Powered-By;
+
+	
         root /var/www/html;
 
         location = /robots.txt {