headers are set by nginx container now

build/nginx/configuration/nginx.conf

@@ -22,9 +22,15 @@ http {
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
-
     access_log  /dev/null  main;
 
+    add_header "Content-Security-Policy" "default-src 'self'; script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'self'; frame-ancestors 'self' https://scripts.zdv.uni-mainz.de; form-action 'self' www.paypal.com";
+    add_header "X-Frame-Options" "sameorigin";
+    add_header "X-Content-Type-Options" "nosniff";
+    add_header "ReferrerPolicy" "origin";
+    add_header "X-XSS-Protection" "1; mode=block";
+    add_header "Permissions-Policy" "interest-cohort=()";
+
     sendfile        on;
     client_max_body_size 30M;
 

chart/values.yaml

@@ -56,13 +56,6 @@ ingress:
     kubernetes.io/tls-acme: "false"
     nginx.ingress.kubernetes.io/client-body-buffer-size: 30m
     nginx.ingress.kubernetes.io/configuration-snippet: >
-      more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-src 'self'; frame-ancestors 'self' https://scripts.zdv.uni-mainz.de; form-action 'self' www.paypal.com";
-      more_set_headers "X-Frame-Options: sameorigin";
-      more_set_headers "X-Content-Type-Options: nosniff";
-      more_set_headers "ReferrerPolicy: origin";
-      more_set_headers "X-XSS-Protection: 1; mode=block";
-      more_set_headers "Permissions-Policy: interest-cohort=()";
-
       if ($arg_out = "results-with-style") {
         more_set_headers "X-Frame-Options: allow-from https://scripts.zdv.uni-mainz.de/";
       }