Ignore upstream headers for security headers we set in nginx

Apps like nextcloud set their own security headers ending up with having
them set twice. I am not 100% sure if our headers should win or if we
should not inject headers with nginx if the upstream app sets them already.
This looks like the more permissive case where we simply enforce our
values, regardless what the apps sets.

This also fixes the nextcloud/owncloud security checks which were
failing because the header values were duplicated, which results in
string concatenation of values from same headers.

setup/start/nginx/appconfig.ejs

@@ -32,14 +32,19 @@ server {
 
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
     add_header X-Frame-Options "<%= xFrameOptions %>";
+    proxy_hide_header X-Frame-Options;
 
     # https://github.com/twitter/secureheaders
     # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
     # https://wiki.mozilla.org/Security/Guidelines/Web_Security
     add_header X-XSS-Protection "1; mode=block";
+    proxy_hide_header X-XSS-Protection;
     add_header X-Download-Options "noopen";
+    proxy_hide_header X-Download-Options;
     add_header X-Content-Type-Options "nosniff";
+    proxy_hide_header X-Content-Type-Options;
     add_header X-Permitted-Cross-Domain-Policies "none";
+    proxy_hide_header X-Permitted-Cross-Domain-Policies;
 
     proxy_http_version 1.1;
     proxy_intercept_errors on;
@@ -134,4 +139,3 @@ server {
 <% } %>
     }
 }
-