nginx: discourage indexing of proxied apps; document Portainer Safe Browsing fix

[verzog]

Summary

Google Safe Browsing periodically flags Portainer instances as "deceptive" because its login page trips generic phishing heuristics. These changes reduce recurrence and document the actual fix (a Search Console review).

nginx template (conf/nginx.conf)

• Serve a restrictive robots.txt at __PATH__/robots.txt (Disallow: /) so crawlers don't index the proxied UI.
• Add X-Robots-Tag: noindex, nofollow, noarchive on proxied responses.
• Add baseline security headers: X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer, X-Frame-Options: SAMEORIGIN.

These apply to every container deployed with this package, which is appropriate — admin UIs and self-hosted apps proxied through this template should not be indexed.

DOCKER_IMAGES.md

• Switched the recommended Portainer tag from :latest to :lts.
• Added a "Google Safe Browsing false-positives" subsection explaining:
  • Request review in Search Console (the only step that actually clears the warning).
  • Don't share the public URL.
  • Remove visitors from the YunoHost permission to put the login behind SSO.

Test plan

• Install a fresh instance of the app and hit <domain>/<path>/robots.txt — should return User-agent: *\nDisallow: /.
• curl -I <domain>/<path>/ shows X-Robots-Tag, X-Content-Type-Options, Referrer-Policy, and X-Frame-Options.
• Portainer still loads and WebSocket console still works (terminal access to containers).
• Existing deployments upgrade cleanly with no nginx reload errors.

https://claude.ai/code/session_01AkRk51LoHpNoFFumpchS8x