raco · June 25, 2018 23:02
diff --git a/nginx_security_headers b/nginx_security_headers
 # Security headers
 add_header Strict-Transport-Security "max-age=2592000; includeSubDomains; preload";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header Content-Security-Policy "default-src 'self' www.google-analytics.com ajax.googleapis.com www.google.com google.com gstatic.com www.gstatic.com connect.facebook.net facebook.com;";
 add_header X-XSS-Protection "1; mode=block";
 add_header Referrer-Policy "origin";


 #https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Frame-Options
 #https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Content-Type-Options
 #https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff#_=_
 #https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
 #https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-XSS-Protection
 #https://developer.mozilla.org/es/docs/Web/HTTP/Headers/Referrer-Policy
 #https://scotthelme.co.uk/a-new-security-header-referrer-policy/
	# Security headers
	add_header Strict-Transport-Security "max-age=2592000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header Content-Security-Policy "default-src 'self' www.google-analytics.com ajax.googleapis.com www.google.com google.com gstatic.com www.gstatic.com connect.facebook.net facebook.com;";
	add_header X-XSS-Protection "1; mode=block";
	add_header Referrer-Policy "origin";


	#https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Frame-Options
	#https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Content-Type-Options
	#https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff#_=_
	#https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
	#https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-XSS-Protection
	#https://developer.mozilla.org/es/docs/Web/HTTP/Headers/Referrer-Policy
	#https://scotthelme.co.uk/a-new-security-header-referrer-policy/