From 1e5a83c5f504b03fc96eef7fb16ac75b817a4a15 Mon Sep 17 00:00:00 2001
From: toufic ar <contact@toufy.me>
Date: Thu, 15 Jan 2026 01:40:19 +0200
Subject: [PATCH] nginx 'merge' doesn't actually merge :)

---
 config/http/captiveportal.nix | 2 ++
 config/http/default.nix       | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/http/captiveportal.nix b/config/http/captiveportal.nix
index 9f7f77a..12bf377 100644
--- a/config/http/captiveportal.nix
+++ b/config/http/captiveportal.nix
@@ -8,6 +8,8 @@ in {
 
       add_header Content-Security-Policy "default-src 'none'";
       add_header 'Referrer-Policy' 'same-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
     '';
     locations."/".return = 204;
     forceSSL = false;
diff --git a/config/http/default.nix b/config/http/default.nix
index ffd1e1e..1753981 100644
--- a/config/http/default.nix
+++ b/config/http/default.nix
@@ -16,7 +16,6 @@ in {
     recommendedBrotliSettings = true;
 
     appendHttpConfig = ''
-      add_header_inherit merge;
       add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
       add_header 'Referrer-Policy' 'origin-when-cross-origin';
       add_header X-Frame-Options DENY;