From 893cb884eed520b6bea1a74ec28c37ac8c0a2767 Mon Sep 17 00:00:00 2001
From: Aditya Hase <aditya@adityahase.com>
Date: Thu, 5 Sep 2019 14:44:32 +0530
Subject: [PATCH] fix(security): Force download html, svg and xml files

Same as https://github.com/frappe/frappe/pull/7074
for public files in production environment
---
 bench/config/templates/nginx.conf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/bench/config/templates/nginx.conf b/bench/config/templates/nginx.conf
index 629dad3c..557b97ae 100644
--- a/bench/config/templates/nginx.conf
+++ b/bench/config/templates/nginx.conf
@@ -34,7 +34,7 @@ server {
 	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
 	ssl_prefer_server_ciphers   on;
 	{% endif %}
-	
+
 	add_header X-Frame-Options "SAMEORIGIN";
 
 	location /assets {
@@ -58,6 +58,12 @@ server {
 	}
 
 	location / {
+
+		location ~ ^/files/.*.(htm|html|svg|xml) {
+			add_header Content-disposition "attachment";
+			try_files /{{ site_name }}/public/$uri @webserver;
+		}
+
 		try_files /{{ site_name }}/public/$uri @webserver;
 	}