From f5ba0b10ee6cb01183823339dd2443051ef0dcb9 Mon Sep 17 00:00:00 2001
From: nachoparker <nacho@ownyourbits.com>
Date: Sat, 9 Mar 2019 02:31:17 -0700
Subject: wizard: fix headers

---
 changelog.md             |  4 +++-
 ncp-web/wizard/index.php | 42 ++++++++++++++++++++++++++----------------
 2 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/changelog.md b/changelog.md
index a69183fc..be47dea0 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,7 @@
 
-[v1.9.2](https://github.com/nextcloud/nextcloudpi/commit/8e97067) (2019-03-08) cleanup update.sh
+[v1.9.3](https://github.com/nextcloud/nextcloudpi/commit/94bdbc3) (2019-03-09) wizard: fix headers
+
+[v1.9.2](https://github.com/nextcloud/nextcloudpi/commit/1a46667) (2019-03-08) cleanup update.sh
 
 [v1.9.1  ](https://github.com/nextcloud/nextcloudpi/commit/060f004) (2019-03-03) fix LE cron
 
diff --git a/ncp-web/wizard/index.php b/ncp-web/wizard/index.php
index 930dad1b..4cc6ba6e 100644
--- a/ncp-web/wizard/index.php
+++ b/ncp-web/wizard/index.php
@@ -1,3 +1,29 @@
+<?php 
+/*
+ NextCloudPi Wizard
+
+ Copyleft 2017 by Pantelis Sarantos and Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+ GPL licensed (see end of file) * Use at your own risk!
+
+ More at https://nextcloudpi.com
+
+**/
+
+    ini_set('session.cookie_httponly', 1);
+    if ( isset($_SERVER['HTTPS']) )
+      ini_set('session.cookie_secure', 1);
+
+    session_start();
+
+    // security headers
+    header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
+    header("X-XSS-Protection: 1; mode=block");
+    header("X-Content-Type-Options: nosniff");
+    header("X-Robots-Tag: none");
+    header("X-Permitted-Cross-Domain-Policies: none");
+    header("X-Frame-Options: DENY");
+    header("Cache-Control: max-age=15778463");
+?>
 <!DOCTYPE html>
 <html>
 	<head>
@@ -7,22 +33,6 @@
 		<!-- Bootstrap -->
 		<link href="bootstrap/css/bootstrap.min.css" rel="stylesheet">
 		<link href="CSS/wizard.css" rel="stylesheet">
-        <?php 
-            session_start();
-
-            ini_set('session.cookie_httponly', 1);
-            if ( isset($_SERVER['HTTPS']) )
-              ini_set('session.cookie_secure', 1);
-
-            // security headers
-            header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; object-src 'self';");
-            header("X-XSS-Protection: 1; mode=block");
-            header("X-Content-Type-Options: nosniff");
-            header("X-Robots-Tag: none");
-            header("X-Permitted-Cross-Domain-Policies: none");
-            header("X-Frame-Options: DENY");
-            header("Cache-Control: max-age=15778463");
-        ?>
         <link rel="icon" type="image/png" href="../img/favicon.png" />
 	</head>
 <body>
-- 
cgit v1.2.3