From 57287e9cff08793c03a8c68507f5d3a79e795de7 Mon Sep 17 00:00:00 2001
From: Rin <dangnhatrin90@gmail.com>
Date: Mon, 16 Mar 2026 23:11:41 +0700
Subject: [PATCH] Refactor: Move shared security headers into a snippet and
 include it in server and files location blocks.

---
 resources/core/nginx/nginx-template.conf   | 12 ++----------
 resources/core/nginx/security_headers.conf |  5 +++++
 2 files changed, 7 insertions(+), 10 deletions(-)
 create mode 100644 resources/core/nginx/security_headers.conf

diff --git a/resources/core/nginx/nginx-template.conf b/resources/core/nginx/nginx-template.conf
index 8aaf0782..f07d5e16 100644
--- a/resources/core/nginx/nginx-template.conf
+++ b/resources/core/nginx/nginx-template.conf
@@ -21,11 +21,7 @@ server {
 	proxy_buffers 4 256k;
 	proxy_busy_buffers_size 256k;
 
-	add_header X-Frame-Options "SAMEORIGIN" always;
-	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-	add_header X-Content-Type-Options nosniff always;
-	add_header X-XSS-Protection "1; mode=block" always;
-	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+	include resources/core/nginx/security_headers.conf;
 
 	set_real_ip_from ${UPSTREAM_REAL_IP_ADDRESS};
 	real_ip_header ${UPSTREAM_REAL_IP_HEADER};
@@ -59,11 +55,7 @@ server {
 		rewrite ^(.+)\.html$ $1 permanent;
 
 		location ~ ^/files/.*.(htm|html|svg|xml) {
-			add_header X-Frame-Options "SAMEORIGIN" always;
-			add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-			add_header X-Content-Type-Options nosniff always;
-			add_header X-XSS-Protection "1; mode=block" always;
-			add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
+			include resources/core/nginx/security_headers.conf;
 			add_header Content-disposition "attachment";
 			try_files /${FRAPPE_SITE_NAME_HEADER}/public/$uri @webserver;
 		}
diff --git a/resources/core/nginx/security_headers.conf b/resources/core/nginx/security_headers.conf
new file mode 100644
index 00000000..ccb54267
--- /dev/null
+++ b/resources/core/nginx/security_headers.conf
@@ -0,0 +1,5 @@
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+add_header X-Content-Type-Options nosniff always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;