feat(nginx): change conflicting http headers and disable gzip to align with nextcloud hardening doc

author: Leander Scherer <leander@schererleander.de> 2026-04-05 13:52:24 +0200
committer: Leander Scherer <leander@schererleander.de> 2026-04-05 13:52:24 +0200
commit: 096591d322689b15572a53c8adfea01e69cd94b3 (patch)
tree: 59aa4dba51d4bfe24126d60e79dcac391bba7379 /modules/services/nginx.nix
parent: c7fdf15e7e5ddb2edd8fc021951285510c3a51e4 (diff)
1 files changed, 1 insertions, 4 deletions
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index 73ed594..ebece15 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -2,7 +2,7 @@
   flake.modules.nixos.nginx = {
     services.nginx = {
       enable = true;
-      recommendedGzipSettings = true;
+      recommendedGzipSettings = false;
       recommendedOptimisation = true;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
@@ -12,9 +12,6 @@
         }
         add_header Strict-Transport-Security $hsts_header;
         #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;
-        add_header 'Referrer-Policy' 'same-origin';
-        add_header X-Frame-Options DENY;
-        add_header X-Content-Type-Options nosniff;
       '';
     };
     networking.firewall.allowedTCPPorts = [
author	Leander Scherer <leander@schererleander.de>	2026-04-05 13:52:24 +0200
committer	Leander Scherer <leander@schererleander.de>	2026-04-05 13:52:24 +0200
commit	096591d322689b15572a53c8adfea01e69cd94b3 (patch)
tree	59aa4dba51d4bfe24126d60e79dcac391bba7379 /modules/services/nginx.nix
parent	c7fdf15e7e5ddb2edd8fc021951285510c3a51e4 (diff)