diff --git a/README.md b/README.md
index 15cac4f..d936a55 100644
--- a/README.md
+++ b/README.md
@@ -209,6 +209,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **18.11.19:** - Nginx default site config updated for v17 (existing users should delete `/config/nginx/site-confs/default` and restart the container).
 * **28.10.19:** - Change cronjob to run every 5 minutes.
 * **24.10.19:** - Nginx default site config updated due to CVE-2019-11043 (existing users should delete `/config/nginx/site-confs/default` and restart the container).
 * **14.07.19:** - Download nextcloud during build time.
diff --git a/readme-vars.yml b/readme-vars.yml
index 1c561d1..6d26186 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -60,6 +60,7 @@ app_setup_block: |
 
 # changelog
 changelogs:
+  - { date: "18.11.19:", desc: "Nginx default site config updated for v17 (existing users should delete `/config/nginx/site-confs/default` and restart the container)." }
   - { date: "28.10.19:", desc: "Change cronjob to run every 5 minutes." }
   - { date: "24.10.19:", desc: "Nginx default site config updated due to CVE-2019-11043 (existing users should delete `/config/nginx/site-confs/default` and restart the container)." }
   - { date: "14.07.19:", desc: "Download nextcloud during build time." }
diff --git a/root/defaults/default b/root/defaults/default
index 469e01d..ab41b52 100644
--- a/root/defaults/default
+++ b/root/defaults/default
@@ -17,6 +17,7 @@ server {
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Robots-Tag none;
     add_header X-Download-Options noopen;
+    add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Permitted-Cross-Domain-Policies none;
     add_header Referrer-Policy no-referrer;
     fastcgi_hide_header X-Powered-By;
@@ -67,18 +68,19 @@ server {
         try_files $uri/ =404;
         index index.php;
     }
-    location ~ \.(?:css|js|woff2?|svg|gif)$ {
+    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
         try_files $uri /index.php$request_uri;
         add_header Cache-Control "public, max-age=15778463";
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Robots-Tag none;
         add_header X-Download-Options noopen;
+        add_header X-Frame-Options "SAMEORIGIN";
         add_header X-Permitted-Cross-Domain-Policies none;
         add_header Referrer-Policy no-referrer;
         access_log off;
     }
-    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
         try_files $uri /index.php$request_uri;
         access_log off;
     }