From 6c69e2c9ceb0aa0ad26f5fde0af78210c73301e3 Mon Sep 17 00:00:00 2001
From: Mo Bitar <me@bitar.io>
Date: Fri, 1 Nov 2019 16:53:28 -0500
Subject: [PATCH] Update headers

---
 config/application.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index 15316f229..754c27ab6 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -29,10 +29,12 @@ module StandardNotes
     # }
 
     SecureHeaders::Configuration.default do |config|
-      config.x_frame_options = "SAMEORIGIN"
-      config.x_content_type_options = "nosniff"
-      config.x_xss_protection = "1; mode=block"
-      config.hsts = "max-age=#{1.week.to_i}"
+      # Handled by server
+      config.x_frame_options = SecureHeaders::OPT_OUT
+      config.x_content_type_options = SecureHeaders::OPT_OUT
+      config.x_xss_protection = SecureHeaders::OPT_OUT
+      config.hsts = SecureHeaders::OPT_OUT
+      
       config.csp = {
         # "meta" values. these will shape the header, but the values are not included in the header.
          preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.