From 6c609aeb3d0bfb6fe39cbae014f0493973d1c5db Mon Sep 17 00:00:00 2001 From: Julien Castiaux Date: Thu, 4 Dec 2025 16:19:32 +0100 Subject: [PATCH] [IMP] admin: missing header with X-Accel-Redirect Nginx doesn't set the Content-Security-Policy and X-Content-Type-Options headers on the response it sends to the browser even though they were present on the response from the Odoo server. --- content/administration/on_premise/deploy.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/administration/on_premise/deploy.rst b/content/administration/on_premise/deploy.rst index e096b55eb8..9d9448d5fd 100644 --- a/content/administration/on_premise/deploy.rst +++ b/content/administration/on_premise/deploy.rst @@ -533,6 +533,8 @@ X-Sendfile and X-Accel). location /web/filestore { internal; alias /path/to/odoo/data-dir/filestore; + add_header Content-Security-Policy $upstream_http_content_security_policy; + add_header X-Content-Type-Options nosniff; } In case you don't know what is the path to your filestore, start Odoo with the