# General security-related directives.

# Don't offer up information about the version of Nginx we use
server_tokens      off;

# Don't allow other websites to present our content in a frame/iframe.
# This mitigates clickjacking attacks.
add_header         X-Frame-Options "SAMEORIGIN";

# Don't allow browsers to try and sniff content types. This prevents
# malicious user-generated content being misinterpreted.
add_header         X-Content-Type-Options "nosniff";

# Enable XSS protection, if browsers don't already have it enabled
# by default.
add_header         X-XSS-Protection "1; mode=block";