From ea77c68e16b772e2fdad3a4ee254b55c4fd228e0 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sat, 2 Sep 2023 20:49:05 +0200
Subject: [PATCH] bundles/nginx: hide content security headers coming from php

---
 bundles/nginx/files/site_template | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index fdd5279..51dd27e 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -149,9 +149,16 @@ server {
 %  endfor
 % endif
 % if php:
-    location ~ \.php$ {
+    location ~ \.php(?:$|/) {
         include fastcgi.conf;
         fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
+% if not do_not_set_content_security_headers:
+        fastcgi_hide_header Referrer-Policy;
+        fastcgi_hide_header X-Frame-Options;
+        fastcgi_hide_header X-Content-Type-Options;
+        fastcgi_hide_header X-XSS-Protection;
+% endif
+        fastcgi_hide_header Permissions-Policy;
     }
 %  if not max_body_size:
     client_max_body_size 5M;