zladuric · March 5, 2019 08:05
diff --git a/nginx security headers.conf b/nginx security headers.conf
 # Security headers
 # HSTS. Tell the browser only to access via https, and include subdomains as well.
 add_header Strict-Transport-Security "max-age=2592000; includeSubDomains; preload";
 # Tell the browser not to include our page as a frame in other pages.
 add_header X-Frame-Options DENY;
 # Tell the browser not to guess what type the file is
 add_header X-Content-Type-Options nosniff;
 ## Tell the browser to only execute scripts included from our domain or www.some-analytics.com
 add_header Content-Security-Policy "default-src 'self' www.some-analytics.com;";
 # Cross site prot headers. Block rendering if CSS detected.
 add_header X-XSS-Protection "1; mode=block";
 ## Keep the host in referrer header
 add_header Referrer-Policy "origin";
	# Security headers
	# HSTS. Tell the browser only to access via https, and include subdomains as well.
	add_header Strict-Transport-Security "max-age=2592000; includeSubDomains; preload";
	# Tell the browser not to include our page as a frame in other pages.
	add_header X-Frame-Options DENY;
	# Tell the browser not to guess what type the file is
	add_header X-Content-Type-Options nosniff;
	## Tell the browser to only execute scripts included from our domain or www.some-analytics.com
	add_header Content-Security-Policy "default-src 'self' www.some-analytics.com;";
	# Cross site prot headers. Block rendering if CSS detected.
	add_header X-XSS-Protection "1; mode=block";
	## Keep the host in referrer header
	add_header Referrer-Policy "origin";