Setting headers
Nick Rickard
nick at nickrickard.co.uk
Tue May 12 07:23:45 UTC 2026
>I am considering for top-level server block the following:
>
> add_header X-XSS-Protection "1; mode=block" always;
I understood [citation needed] that this was now obsolete and not
required for any reasonably modern browsers and is better mitigated by
Content-Security-Policy (see below). I've removed it.
> add_header X-Frame-Options "SAMEORIGIN";
add_header X-Frame-Options "SAMEORIGIN" always;
adding 'always' will enforce it across all responses (eg 404)
> add_header X-Content-Type-Options nosniff;
add_header X-Content-Type-Options "nosniff" always;
as before with 'always'. Mine has quotes around "nosniff".
> add_header 'Referrer-Policy' 'origin';
add_header Referrer-Policy "no-referrer" always;
Personally I remove all referrer information, but personal choice
Additionally, you probably want
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
if you use HTTPS
And probably
add_header Content-Security-Policy ...
for which
https://scotthelme.co.uk/csp-cheat-sheet
is a good reference and
https://docs.report-uri.com/setup/wizard/
can help to generate it for you
More information about the nginx
mailing list