From a732d1b964400a43a5d4230e27c850316505fc80 Mon Sep 17 00:00:00 2001
From: Julien Castiaux <juc@odoo.com>
Date: Tue, 5 Mar 2024 11:10:07 +0100
Subject: [PATCH] [FIX] deploy: enable HSTS also for websocket

Fine tunning of 6a2725e604

closes odoo/documentation#8013

X-original-commit: c00571d724a8c9049ec54142904c17890746f804
Signed-off-by: Martin Trigaux (mat) <mat@odoo.com>
Signed-off-by: Julien Castiaux (juc) <juc@odoo.com>
---
 content/administration/install/deploy.rst | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/content/administration/install/deploy.rst b/content/administration/install/deploy.rst
index 1e783cc53..12be54c81 100644
--- a/content/administration/install/deploy.rst
+++ b/content/administration/install/deploy.rst
@@ -334,6 +334,9 @@ in ``/etc/nginx/sites-enabled/odoo.conf`` set:
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Real-IP $remote_addr;
+
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+      proxy_cookie_flags session_id samesite=lax secure;  # requires nginx 1.19.8
     }
 
     # Redirect requests to odoo backend server
@@ -346,10 +349,8 @@ in ``/etc/nginx/sites-enabled/odoo.conf`` set:
       proxy_redirect off;
       proxy_pass http://odoo;
 
-      # Enable HSTS
       add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
-      # requires nginx 1.19.8
-      proxy_cookie_flags session_id samesite=lax secure;
+      proxy_cookie_flags session_id samesite=lax secure;  # requires nginx 1.19.8
     }
 
     # common gzip