# Security Headers — nginx/posterg.conf

## Headers in use (main server block — all pages)

| Header | Value | Purpose |
|--------|-------|---------|
| `X-Frame-Options` | `SAMEORIGIN` | Prevent clickjacking |
| `X-Content-Type-Options` | `nosniff` | Prevent MIME-type sniffing |
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Limit referrer leakage |
| `Permissions-Policy` | `geolocation=(), microphone=(), camera=()` | Disable unused browser APIs |

## Headers in use (`/admin/` location block)

| Header | Value | Purpose |
|--------|-------|---------|
| `Content-Security-Policy` | `default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';` | Restrict resource origins; block embedding |
| `X-Robots-Tag` | `noindex, nofollow` | Prevent search-engine indexing of admin |

These were previously declared in `public/admin/.htaccess` as Apache
`mod_headers` directives, which nginx silently ignores. They are now
enforced directly; see `HTACCESS_TO_NGINX.md` for the full migration log.

## Intentionally omitted headers

### `X-XSS-Protection`

This header was **removed** (was `"1; mode=block"`).

**Why:** `X-XSS-Protection` is deprecated and removed from all modern browsers
(Chrome 78+, Firefox never implemented it, Edge dropped it). Worse, the
`mode=block` behaviour can be [actively exploited](https://portswigger.net/daily-swig/xss-protection-header-is-no-longer-supported-in-any-major-browser)
to expose response bodies that would otherwise be blocked. Sending it provides
no protection and may introduce risk.

**Correct mitigation:** a proper `Content-Security-Policy` header (now done for
`/admin/`; public-page CSP is todo item #11).

## Pending headers

| Header | Scope | Status |
|--------|-------|--------|
| `Content-Security-Policy` | Public pages (non-admin) | ⏳ todo item #11 |