From dae0d21d57b1478d70d5b9bbe7770ac91af03e97 Mon Sep 17 00:00:00 2001 From: Lukas Burk Date: Thu, 13 Apr 2017 19:37:33 +0200 Subject: [PATCH] Add info about already set HTTP headers Intended to avoid setting duplicate HTTP headers which will cause issues with tools like Mozilla Observatory many people use to evaluate an instance's security. --- Running-Mastodon/Production-guide.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Running-Mastodon/Production-guide.md b/Running-Mastodon/Production-guide.md index e7269ce3..45dc6b24 100644 --- a/Running-Mastodon/Production-guide.md +++ b/Running-Mastodon/Production-guide.md @@ -1,6 +1,15 @@ Production guide ================ +The following HTTP readers are already set internally and should not be set again: + +``` +'Server' => 'Mastodon', +'X-Frame-Options' => 'DENY', +'X-Content-Type-Options' => 'nosniff', +'X-XSS-Protection'       => '1; mode=block', +``` + ## Nginx Regardless of whether you go with the Docker approach or not, here is an example Nginx server configuration: