Move header options around to give onion sites better protection

src/freedombone-utils-web

@@ -76,6 +76,10 @@ function nginx_disable_sniffing {
     filename=/etc/nginx/sites-available/$domain_name
     { echo '    add_header X-Frame-Options DENY;';
       echo '    add_header X-Content-Type-Options nosniff;';
+      echo '    add_header X-XSS-Protection "1; mode=block";';
+      echo '    add_header X-Robots-Tag none;';
+      echo '    add_header X-Download-Options noopen;';
+      echo '    add_header X-Permitted-Cross-Domain-Policies none;';
       echo ''; } >> "$filename"
 }
 
@@ -157,11 +161,7 @@ function nginx_ssl {
     else
         echo "    ssl_ciphers '$SSL_CIPHERS';" >> "$filename"
     fi
-    { echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";";
-      echo '    add_header X-XSS-Protection "1; mode=block";';
-      echo '    add_header X-Robots-Tag none;';
-      echo '    add_header X-Download-Options noopen;';
-      echo '    add_header X-Permitted-Cross-Domain-Policies none;'; } >> "$filename"
+    echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> "$filename"
 
     #nginx_stapling $1
 }