|
@@ -1,20 +1,17 @@
|
1
|
1
|
# General security-related directives.
|
2
|
2
|
|
3
|
|
-http {
|
|
3
|
+# Don't offer up information about the version of Nginx we use
|
|
4
|
+server_tokens off;
|
4
|
5
|
|
5
|
|
- # Don't offer up information about the version of Nginx we use
|
6
|
|
- server_tokens off;
|
|
6
|
+# Don't allow other websites to present our content in a frame/iframe.
|
|
7
|
+# This mitigates clickjacking attacks.
|
|
8
|
+add_header X-Frame-Options "SAMEORIGIN";
|
7
|
9
|
|
8
|
|
- # Don't allow other websites to present our content in a frame/iframe.
|
9
|
|
- # This mitigates clickjacking attacks.
|
10
|
|
- add_header X-Frame-Options "SAMEORIGIN";
|
|
10
|
+# Don't allow browsers to try and sniff content types. This prevents
|
|
11
|
+# malicious user-generated content being misinterpreted.
|
|
12
|
+add_header X-Content-Type-Options "nosniff";
|
11
|
13
|
|
12
|
|
- # Don't allow browsers to try and sniff content types. This prevents
|
13
|
|
- # malicious user-generated content being misinterpreted.
|
14
|
|
- add_header X-Content-Type-Options "nosniff";
|
|
14
|
+# Enable XSS protection, if browsers don't already have it enabled
|
|
15
|
+# by default.
|
|
16
|
+add_header X-XSS-Protection "1; mode=block";
|
15
|
17
|
|
16
|
|
- # Enable XSS protection, if browsers don't already have it enabled
|
17
|
|
- # by default.
|
18
|
|
- add_header X-XSS-Protection "1; mode=block";
|
19
|
|
-
|
20
|
|
-}
|