# The X-Frame-Options header indicates whether a browser should be allowed # to render a page within a frame or iframe. add_header X-Frame-Options SAMEORIGIN always; # MIME type sniffing security protection # There are very few edge cases where you wouldn't want this enabled. add_header X-Content-Type-Options nosniff always; # The X-XSS-Protection header is used by Internet Explorer version 8+ # The header instructs IE to enable its inbuilt anti-cross-site scripting filter. add_header X-XSS-Protection "1; mode=block" always; # with Content Security Policy (CSP) enabled (and a browser that supports it (https://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # CSP can be quite difficult to configure, and cause real issues if you get it wrong # There is website that helps you generate a policy here https://www.cspisawesome.com/ # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;