Nginx Security Headers

Nginx Security Headers.md

# Prevent MIME-type sniffing<br>
add_header X-Content-Type-Options nosniff always;

# Enforce HTTPS for 1 year + subdomains<br>
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Protect against clickjacking attacks<br>
add_header X-Frame-Options SAMEORIGIN always;

# Prevent Cross-site scripting (XSS)
add_header X-XSS-Protection "1; mode=block";

# Restrict browser features<br>
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), usb=()" always;

# Cross-Origin Opener Policy<br>
add_header Cross-Origin-Opener-Policy same-origin always;

# Content Security Policy (Modify as needed)<br>
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;

# CORS Policy (Adjust as needed)<br>
add_header Access-Control-Allow-Origin "*" always;