--- a/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar	Mon Jun 27 18:09:10 2016 +0800
+++ b/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar	Mon Jun 27 18:13:01 2016 +0800
@@ -51,8 +51,11 @@
     add_header Cache-Control private;
 {% endif %}
 
-    # access from <frame | iframe | object>: DENY | SAMEORIGIN | ALLOW-FROM uri
-    add_header X-Frame-Options 'SAMEORIGIN';
+    # Various security headers not related to HTTPS
+    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection '1; mode=block';
 
     access_log /var/log/nginx/fruitbar.{{ umbrella }}.access.log;
     error_log /var/log/nginx/fruitbar.{{ umbrella }}.error.log;