Gzip_proxied expired no-cache no-store private no_last_modified no_etag auth # Enable gzip but do not remove ETag headers Return 301 $scheme://$host:$server_port/remote.php/dav #rewrite ^/.well-known/webfinger /public.php?service=webfinger last # The following rule is only needed for the Social app. #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last # Uncomment it if you're planning to use this app. # The following 2 rules are only needed for the user_webfinger app. # Remove X-Powered-By, which is an information leak # in all major browsers and getting removed from this listĪdd_header Referrer-Policy "no-referrer" always Īdd_header X-Content-Type-Options "nosniff" always Īdd_header X-Download-Options "noopen" always Īdd_header X-Frame-Options "SAMEORIGIN" always Īdd_header X-Permitted-Cross-Domain-Policies "none" always Īdd_header X-XSS-Protection "1 mode=block" always # will add the domain to a hardcoded list that is shipped # WARNING: Only add the preload option once you read about #add_header Strict-Transport-Security "max-age=15768000 includeSubDomains preload " always # Before enabling Strict-Transport-Security headers please read into this # Add headers to serve security related headers # NOTE: some settings below might be redundant
# Use Mozilla's guidelines for SSL/TLS settings
0 kommentar(er)
