From 2a0120de8b4b274bcb22c98426705c54e570edd3 Mon Sep 17 00:00:00 2001
From: Jakub Onderka <ahoj@jakubonderka.cz>
Date: Wed, 22 Jul 2020 17:23:23 +0200
Subject: [PATCH] web: set security headers also for non HTTPS

Fixes: #493
---
 web/rootfs/defaults/meet.conf | 4 ++++
 web/rootfs/defaults/ssl.conf  | 2 --
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/web/rootfs/defaults/meet.conf b/web/rootfs/defaults/meet.conf
index eff8190..7f02958 100644
--- a/web/rootfs/defaults/meet.conf
+++ b/web/rootfs/defaults/meet.conf
@@ -11,6 +11,10 @@ ssi_types application/x-javascript application/javascript;
 index index.html index.htm;
 error_page 404 /static/404.html;
 
+# Security headers
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+
 location = /config.js {
     alias /config/config.js;
 }
diff --git a/web/rootfs/defaults/ssl.conf b/web/rootfs/defaults/ssl.conf
index cb79fb7..af73a5e 100644
--- a/web/rootfs/defaults/ssl.conf
+++ b/web/rootfs/defaults/ssl.conf
@@ -20,5 +20,3 @@ ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
 
 # headers
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-add_header X-Content-Type-Options nosniff;
-add_header X-XSS-Protection "1; mode=block";