From 5c374bc977d2828be0f9da89069c429bd8268ac3 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Sat, 6 Jun 2020 21:26:50 +0200
Subject: [PATCH] nginx/application: Added security relevant HTTP headers to
 global config

Duplicates removed from server/nextcloud
---
 roles/nginx/application/templates/global.conf | 4 ++++
 roles/server/nextcloud/meta/main.yml          | 2 --
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/nginx/application/templates/global.conf b/roles/nginx/application/templates/global.conf
index 57251bf..cb42e55 100644
--- a/roles/nginx/application/templates/global.conf
+++ b/roles/nginx/application/templates/global.conf
@@ -6,4 +6,8 @@ location = /robots.txt {
     access_log off;
 }
 
+add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-XSS-Protection "1; mode=block";
+
 include {{ nginx_snippets_directory }}/resolver.conf;
diff --git a/roles/server/nextcloud/meta/main.yml b/roles/server/nextcloud/meta/main.yml
index b4b25a6..396eddd 100644
--- a/roles/server/nextcloud/meta/main.yml
+++ b/roles/server/nextcloud/meta/main.yml
@@ -20,8 +20,6 @@ dependencies:
     memory_limit: 1G
   - role: nginx/server
     directives: |
-      add_header X-Content-Type-Options nosniff;
-      add_header X-XSS-Protection "1; mode=block";
       add_header X-Robots-Tag none;
       add_header X-Download-Options noopen;
       add_header X-Permitted-Cross-Domain-Policies none;