From a9a1398a5a10e4877fb9e53db14a518f01af8606 Mon Sep 17 00:00:00 2001
From: jtbruins12 <jtbruins12@gmail.com>
Date: Sun, 16 Apr 2023 22:36:25 -0400
Subject: [PATCH] Per
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 X-Xss-Protection should be set explicitly to 0 as it opens up additonal
 vulnerabilities by setting it. Additionally, remove the X-Powered-By header
 and Last-Modified for opsec. Set X-Content-Type-Options to nosniff as well.

---
 Caddy-2.x-with-Cloudflare-DNS.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Caddy-2.x-with-Cloudflare-DNS.md b/Caddy-2.x-with-Cloudflare-DNS.md
index 52ae77f..1c57826 100644
--- a/Caddy-2.x-with-Cloudflare-DNS.md
+++ b/Caddy-2.x-with-Cloudflare-DNS.md
@@ -28,13 +28,19 @@ https://[YOUR-DOMAIN]:443 {
        # Enable HTTP Strict Transport Security (HSTS)
        Strict-Transport-Security "max-age=31536000;"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
-       X-XSS-Protection "1; mode=block"
+       X-XSS-Protection "0"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # Prevent search engines from indexing (optional)
+       # Disallow sniffing of X-Content-Type-Options
+       X-Content-Type-Options "nosniff"
        X-Robots-Tag "none"
        # Server name removing
        -Server
+       # Remove X-Powered-By though this shouldn't be an issue, better opsec to remove
+       -X-Powered-By
+       # Remove Last-Modified because etag is the same and is as effective
+       -Last-Modified
    }
   # The negotiation endpoint is also proxied to Rocket
   reverse_proxy /notifications/hub/negotiate vaultwarden:80