Improve headers

jra_nextcloud.sh

@@ -186,11 +186,13 @@ server {
     # will add the domain to a hardcoded list that is shipped
     # in all major browsers and getting removed from this list
     # could take several months.
-    add_header X-Content-Type-Options nosniff;
+    add_header Referrer-Policy "no-referrer" always;
-    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Robots-Tag none;
+    add_header X-Download-Options "noopen" always;
-    add_header X-Download-Options noopen;
+    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Permitted-Cross-Domain-Policies none;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Robots-Tag "none" always;
+    add_header X-XSS-Protection "1; mode=block" always;
 
     # Path to the root of your installation
     root $NC_PATH/;
@@ -279,11 +281,13 @@ server {
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
+        add_header Referrer-Policy "no-referrer" always;
-        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Robots-Tag none;
+        add_header X-Download-Options "noopen" always;
-        add_header X-Download-Options noopen;
+        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
         # Optional: Don't log access to assets
         access_log off;
     }