v9.1

- DietPi-Software | Nextcloud: Re-add Nginx security headers for assets - META | Satisfy shellcheck
MichaIng · Jan 26, 2024 · 023b15f · 023b15f
1 parent 42f20a8
commit 023b15f
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/.build/images/dietpi-installer b/.build/images/dietpi-installer
@@ -908,7 +908,7 @@ _EOF_
 			)
 
 			# Install entropy daemon on SBCs with ancient kernel: NanoPi M2/T2/Fire2, NanoPi M3/T3/Fire3, Sparky SBC
-			if [[ ! $G_HW_MODEL =~ ^(61|62|70)$ ]] # 
+			if [[ ! $G_HW_MODEL =~ ^(61|62|70)$ ]]
 			then
 				aPACKAGES_REQUIRED_INSTALL+=('haveged')
 				# https://github.com/MichaIng/DietPi/issues/4710
@@ -1178,7 +1178,7 @@ _EOF_
 
 			# Orange Pi Zero 3: Apply device tree adjustment for Ethernet adapter
 			elif (( $G_HW_MODEL == 83 ))
-			then		
+			then
 				# shellcheck disable=SC2016
 				sed --follow-symlinks -i -e '/^setenv bootargs /s/"$/ ethernet_phy=${ethernet_phy}"/' -e '/^# Boot/i\
 if test "${ethernet_phy}" = "rtl8211f"; then\

diff --git a/.conf/dps_114/nginx.nextcloud.conf b/.conf/dps_114/nginx.nextcloud.conf
@@ -84,7 +84,16 @@ location ^~ /nextcloud {
 
 	location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
 		try_files $uri /nextcloud/index.php$request_uri;
+		# HTTP response headers borrowed from Nextcloud `.htaccess`
 		add_header Cache-Control "public, max-age=15778463$asset_immutable";
+		#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+		add_header Referrer-Policy "no-referrer" always;
+		add_header X-Content-Type-Options "nosniff" always;
+		add_header X-Download-Options "noopen" always;
+		add_header X-Frame-Options "SAMEORIGIN" always;
+		add_header X-Permitted-Cross-Domain-Policies "none" always;
+		add_header X-Robots-Tag "noindex, nofollow" always;
+		add_header X-XSS-Protection "1; mode=block" always;
 		access_log off; # Optional: Don't log access to assets
 	}
 

diff --git a/.update/patches b/.update/patches
@@ -1577,7 +1577,7 @@ Patch_9_0()
 		# - Nginx
 		if [[ -f '/etc/nginx/sites-dietpi/dietpi-nextcloud.conf' ]]
 		then
-			echo '# Set the `immutable` cache control option for assets with a cache busting `v` argument
+			echo '# Set the "immutable" cache control option for assets with a cache busting "v=" argument
 map $arg_v $asset_immutable {
 	"" "";
 	default ", immutable";

diff --git a/dietpi/dietpi-software b/dietpi/dietpi-software
@@ -4644,7 +4644,7 @@ url.redirect += (
 			elif (( ${aSOFTWARE_INSTALL_STATE[85]} > 0 ))
 			then
 				G_DIETPI-NOTIFY 2 'Nginx webserver found, enabling Nextcloud specific configuration.' # https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html
-				echo '# Set the `immutable` cache control option for assets with a cache busting `v` argument
+				echo '# Set the "immutable" cache control option for assets with a cache busting "v=" argument
 map $arg_v $asset_immutable {
 	"" "";
 	default ", immutable";