--- a/roles/nginx/templates/etc/nginx/sites-available/munin Sat Jun 25 12:28:29 2016 +0800
+++ b/roles/nginx/templates/etc/nginx/sites-available/munin Sat Jun 25 12:29:01 2016 +0800
ssl_session_cache shared:SSL:1m;
- # access from <frame | iframe | object>: DENY | SAMEORIGIN | ALLOW-FROM uri
- add_header X-Frame-Options 'SAMEORIGIN';
+ # Various security headers not related to HTTPS
+ # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection '1; mode=block';
# HPKP: 5184000 = 60 days
add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000';