16 lines
638 B
Text
16 lines
638 B
Text
## Don't show the nginx version number, a security best practice
|
|
server_tokens off;
|
|
|
|
add_header Referrer-Policy strict-origin-when-cross-origin always;
|
|
add_header X-Frame-Options SAMEORIGIN always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
|
|
# Explicitly disable the legacy XSS Auditor. Modern browsers removed it, and
|
|
# some older implementations created security bugs of their own.
|
|
add_header X-XSS-Protection "0" always;
|
|
|
|
# Redirect `example.com.` to `example.com`. Use $host on the target so nginx
|
|
# emits the normalized host without the trailing dot.
|
|
if ($http_host ~ "\.$" ){
|
|
rewrite ^(.*) $scheme://$host$1 permanent;
|
|
}
|