nginx 5 lines · 1 tab

Core HTTP security headers at the reverse proxy layer

Kai Nakamura Apr 2026
1 tab
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
1 file · nginx Explain with highlit

I like setting baseline browser hardening headers at the proxy so every app behind it benefits. HSTS, clickjacking protection, MIME sniffing prevention, and sane referrer policy are cheap wins. The only caveat is making sure the settings match real deployment behavior before forcing them everywhere.

Share this code

Here's the card — post it anywhere.

Core HTTP security headers at the reverse proxy layer — share card
Link copied