update

security.conf

@@ -4,9 +4,13 @@ server_tokens off;
 add_header	Referrer-Policy	strict-origin-when-cross-origin always;
 add_header	X-Frame-Options	SAMEORIGIN always;
 add_header	X-Content-Type-Options	nosniff always;
+
+# Explicitly disable the legacy XSS Auditor. Modern browsers removed it, and
+# some older implementations created security bugs of their own.
 add_header	X-XSS-Protection	"0" always;
 
-# Redirect `example.com.` to `example.com`
+# Redirect `example.com.` to `example.com`. Use $host on the target so nginx
+# emits the normalized host without the trailing dot.
 if ($http_host ~ "\.$" ){
     rewrite ^(.*) $scheme://$host$1 permanent;
 }