--- a/roles/nginx/templates/etc/nginx/sites-available/munin Fri Jun 30 10:09:57 2017 +0800
+++ b/roles/nginx/templates/etc/nginx/sites-available/munin Fri Jun 30 10:10:40 2017 +0800
# Various security headers not related to HTTPS
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- add_header X-Frame-Options DENY;
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection '1; mode=block';
+ add_header X-Frame-Options DENY always;
+ add_header X-Content-Type-Options nosniff always;
+ add_header X-XSS-Protection '1; mode=block' always;
# HPKP: 5184000 = 60 days
- add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000';
+ add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000' always;
# HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
- add_header Strict-Transport-Security 'max-age=31536000';
+ add_header Strict-Transport-Security 'max-age=31536000' always;
add_header Cache-Control private;