From 0070d23dab950cc8906da0ff19f996e964694928 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Fri, 20 Jul 2018 14:11:20 -0400
Subject: [PATCH] csp is only for web vault

---
 util/Setup/NginxConfigBuilder.cs | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/util/Setup/NginxConfigBuilder.cs b/util/Setup/NginxConfigBuilder.cs
index ab792836d0..20229af25a 100644
--- a/util/Setup/NginxConfigBuilder.cs
+++ b/util/Setup/NginxConfigBuilder.cs
@@ -141,24 +141,15 @@ server {{
                 }
 
                 sw.WriteLine($@"
-  # X-Frame-Options is to prevent from click-jacking attack
+  # Security headers
   #add_header X-Frame-Options SAMEORIGIN;
-
-  # Disable content-type sniffing on some browsers.
   add_header X-Content-Type-Options nosniff;
-
-  # This header enables the Cross-site scripting (XSS) filter
   add_header X-XSS-Protection ""1; mode=block"";
-
-  # This header controls what referrer information is shared
   add_header Referrer-Policy same-origin;
 
-  # Content-Security-Policy to prevent malicious XSS code
-  add_header Content-Security-Policy ""{ContentSecurityPolicy}"";");
-
-                sw.WriteLine($@"
   location / {{
     proxy_pass http://web:5000/;
+    add_header Content-Security-Policy ""{ContentSecurityPolicy}"";
   }}
 
   location = /app-id.json {{