## Don't show the nginx version number, a security best practice
server_tokens off;

add_header	Referrer-Policy	strict-origin-when-cross-origin always;
add_header	X-Frame-Options	SAMEORIGIN always;
add_header	X-Content-Type-Options	nosniff always;

# Explicitly disable the legacy XSS Auditor. Modern browsers removed it, and
# some older implementations created security bugs of their own.
add_header	X-XSS-Protection	"0" always;

# Redirect `example.com.` to `example.com`. Use $host on the target so nginx
# emits the normalized host without the trailing dot.
if ($http_host ~ "\.$" ){
    rewrite ^(.*) $scheme://$host$1 permanent;
}