thinmy/nginx.web-headers.conf

## nginx.web-headers.conf
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Download-Options "noopen";
add_header X-XSS-Protection "1; mode=block";
add_header Expect-CT "enforce; max-age=3600";
add_header Referrer-Policy "origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains";
add_header Content-Security-Policy "default-src 'self'; script-src *; style-src *; font-src *; img-src *; child-src 'self'; connect-src *; sandbox allow-same-origin allow-forms allow-scripts; object-src 'self'; form-action 'self'; frame-ancestors 'none';";

# ABOUT PLUBIC KEY PINS https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
add_header Public-Key-Pins "pin-sha256='XX_B64_BASED_PIN_FROM_SHA256'; pin-sha256='XX_B64_BASED_PIN_FROM_SHA256'; pin-sha256='XX_B64_BASED_PIN_FROM_SHA256'; includeSubdomains; max-age=31536000" always;
	add_header X-Content-Type-Options "nosniff";
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-Download-Options "noopen";
	add_header X-XSS-Protection "1; mode=block";
	add_header Expect-CT "enforce; max-age=3600";
	add_header Referrer-Policy "origin-when-cross-origin";
	add_header Strict-Transport-Security "max-age=2592000; includeSubDomains";
	add_header Content-Security-Policy "default-src 'self'; script-src ; style-src ; font-src ; img-src ; child-src 'self'; connect-src *; sandbox allow-same-origin allow-forms allow-scripts; object-src 'self'; form-action 'self'; frame-ancestors 'none';";

	# ABOUT PLUBIC KEY PINS https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
	add_header Public-Key-Pins "pin-sha256='XX_B64_BASED_PIN_FROM_SHA256'; pin-sha256='XX_B64_BASED_PIN_FROM_SHA256'; pin-sha256='XX_B64_BASED_PIN_FROM_SHA256'; includeSubdomains; max-age=31536000" always;