--- a/contrib/provision/roles/tram-im/templates/etc/nginx/sites-available/tram-im Sat Dec 03 01:28:43 2016 +0800
+++ b/contrib/provision/roles/tram-im/templates/etc/nginx/sites-available/tram-im Sat Dec 03 01:30:47 2016 +0800
resolver {{ nginx_resolver }};
resolver_timeout {{ nginx_resolver_timeout }};
- # access from <frame | iframe | object>: DENY | SAMEORIGIN | ALLOW-FROM uri
- add_header X-Frame-Options 'SAMEORIGIN';
# HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
add_header Strict-Transport-Security 'max-age=31536000';
add_header Cache-Control private;
+ # Various security headers not related to HTTPS
+ # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection '1; mode=block';
access_log /var/log/nginx/{{ domain }}.access.log;
error_log /var/log/nginx/{{ domain }}.error.log;