nginx
5 lines · 1 tab
Kai Nakamura
Apr 2026
1 tab
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
1 file · nginx
Explain with highlit
I like setting baseline browser hardening headers at the proxy so every app behind it benefits. HSTS, clickjacking protection, MIME sniffing prevention, and sane referrer policy are cheap wins. The only caveat is making sure the settings match real deployment behavior before forcing them everywhere.
Share this code
Here's the card — post it anywhere.