Created
March 5, 2019 08:05
-
-
Save zladuric/5258878ac4e68ea70096a12a888457f0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security headers | |
| # HSTS. Tell the browser only to access via https, and include subdomains as well. | |
| add_header Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"; | |
| # Tell the browser not to include our page as a frame in other pages. | |
| add_header X-Frame-Options DENY; | |
| # Tell the browser not to guess what type the file is | |
| add_header X-Content-Type-Options nosniff; | |
| ## Tell the browser to only execute scripts included from our domain or www.some-analytics.com | |
| add_header Content-Security-Policy "default-src 'self' www.some-analytics.com;"; | |
| # Cross site prot headers. Block rendering if CSS detected. | |
| add_header X-XSS-Protection "1; mode=block"; | |
| ## Keep the host in referrer header | |
| add_header Referrer-Policy "origin"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment