From dae0d21d57b1478d70d5b9bbe7770ac91af03e97 Mon Sep 17 00:00:00 2001
From: Lukas Burk <jemus42@users.noreply.github.com>
Date: Thu, 13 Apr 2017 19:37:33 +0200
Subject: [PATCH] Add info about already set HTTP headers

Intended to avoid setting duplicate HTTP headers which will cause issues with tools like Mozilla Observatory many people use to evaluate an instance's security.
---
 Running-Mastodon/Production-guide.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Running-Mastodon/Production-guide.md b/Running-Mastodon/Production-guide.md
index e7269ce3..45dc6b24 100644
--- a/Running-Mastodon/Production-guide.md
+++ b/Running-Mastodon/Production-guide.md
@@ -1,6 +1,15 @@
 Production guide
 ================
 
+The following HTTP readers are already set internally and should not be set again:
+
+```
+'Server'                 => 'Mastodon',
+'X-Frame-Options'        => 'DENY',
+'X-Content-Type-Options' => 'nosniff',
+'X-XSS-Protection'       => '1; mode=block',
+```
+
 ## Nginx
 
 Regardless of whether you go with the Docker approach or not, here is an example Nginx server configuration: