--- a/roles/nginx/templates/etc/nginx/sites-available/munin	Sat Jun 25 12:28:29 2016 +0800
+++ b/roles/nginx/templates/etc/nginx/sites-available/munin	Sat Jun 25 12:29:01 2016 +0800
@@ -26,8 +26,11 @@
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 10m;
 
-    # access from <frame | iframe | object>: DENY | SAMEORIGIN | ALLOW-FROM uri
-    add_header X-Frame-Options 'SAMEORIGIN';
+    # Various security headers not related to HTTPS
+    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection '1; mode=block';
 
     # HPKP: 5184000 = 60 days
     add_header Public-Key-Pins '{% for r in hpkpinfo.results %}pin-sha256="{{ r.stdout }}"; {% endfor %}max-age=5184000';