Move static HTTP response headers to nginx.conf

kzys · kzys · commit 728f1d2a7a30 · 2020-01-29T06:52:41.000-08:00
We'd like to have these headers on the FastBoot server as well.
diff --git a/config/nginx.conf.erb b/config/nginx.conf.erb
@@ -121,6 +121,10 @@ http {
 			expires max;
 		}
 
+		add_header X-Content-Type-Options "no-sniff";
+		add_header X-Frame-Options "SAMEORIGIN";
+		add_header X-XSS-Protection "1; mode=block";
+
 		add_header Strict-Transport-Security "max-age=31536000" always;
 		add_header Vary 'Accept, Accept-Encoding, Cookie';
 		proxy_set_header Host $http_host;
diff --git a/src/middleware/security_headers.rs b/src/middleware/security_headers.rs
@@ -13,12 +13,6 @@ impl SecurityHeaders {
     pub fn new(uploader: &Uploader) -> Self {
         let mut headers = HashMap::new();
 
-        headers.insert("X-Content-Type-Options".into(), vec!["nosniff".into()]);
-
-        headers.insert("X-Frame-Options".into(), vec!["SAMEORIGIN".into()]);
-
-        headers.insert("X-XSS-Protection".into(), vec!["1; mode=block".into()]);
-
         let s3_host = match *uploader {
             Uploader::S3 {
                 ref bucket,
