From e14c29dfeaa4f58768905aeaadcb94f9c87be598 Mon Sep 17 00:00:00 2001
From: Luc Juggery <luc.juggery@gmail.com>
Date: Sat, 3 Feb 2018 17:34:41 +0100
Subject: [PATCH] Move Security Header to https server

---
 conf/nginx.conf | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 8da7b83..3017e8b 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -18,11 +18,6 @@ http {
         server www;
     }
 
-    add_header X-Content-Type-Options "nosniff";
-    add_header X-Frame-Options "DENY";
-    add_header X-XSS-Protection "1; mode=block";
-    add_header Content-Security-Policy "default-src 'self'; script-src https://code.jquery.com https://cdn.jsdelivr.net https://www.google-analytics.com https://www.googletagmanager.com 'self'; style-src https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com 'self'; font-src https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com; object-src 'none'";
-
     server {
         listen                    80;
         server_name               sophia.events;
@@ -40,6 +35,10 @@ http {
         ssl_session_cache         shared:SSL:20m;
         ssl_session_timeout       4h;
         add_header                Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+        add_header                X-Content-Type-Options nosniff;
+        add_header                X-Frame-Options DENY;
+        add_header                X-XSS-Protection "1; mode=block";
+        add_header                Content-Security-Policy "default-src 'self'; script-src https://code.jquery.com https://cdn.jsdelivr.net https://www.google-analytics.com https://www.googletagmanager.com 'self'; style-src https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com 'self'; font-src https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com; object-src 'none'";
 
         location / {
             proxy_set_header Host $host;