From 44705a32b7368a4accdaf4a2ed6c707c69ccd430 Mon Sep 17 00:00:00 2001
From: Michael Kroes <michael@kroes.email>
Date: Sun, 13 Mar 2016 18:40:02 +0100
Subject: [PATCH] Never allow admin panel to be inside a frame, use both modern
 and old headers. Also set no content sniffing

---
 conf/nginx-primaryonly.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf
index 9f040c0d..8fd546af 100644
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -6,7 +6,9 @@
 	location /admin/ {
 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;
-		add_header X-Frame-Options "SAMEORIGIN";
+		add_header X-Frame-Options "DENY";
+		add_header X-Content-Type-Options nosniff;
+		add_header Content-Security-Policy "frame-ancestors 'none';";
 	}
 
 	# ownCloud configuration.