xamxam/nginx/docs/SECURITY_HEADERS.md

Security Headers — nginx/xamxam.conf

Headers in use (main server block — all pages)

Header	Value	Purpose
Strict-Transport-Security	max-age=63072000; includeSubDomains; preload;	HSTS — forces HTTPS
Content-Security-Policy	default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';	Restrict resource origins; block embedding
X-Frame-Options	SAMEORIGIN	Prevent clickjacking
X-Content-Type-Options	nosniff	Prevent MIME-type sniffing
Referrer-Policy	strict-origin-when-cross-origin	Limit referrer leakage
Permissions-Policy	geolocation=(), microphone=(), camera=()	Disable unused browser APIs
Cross-Origin-Opener-Policy	same-origin	Isolates browsing context
Cross-Origin-Resource-Policy	same-origin	Controls cross-origin resource sharing

Headers in use (/admin/ location block — inherited from main + overrides)

Header	Value	Purpose
Content-Security-Policy	default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';	Restrict resource origins; allows inline scripts for OverType editor
X-Robots-Tag	noindex, nofollow	Prevent search-engine indexing of admin

These were previously declared in public/admin/.htaccess as Apache mod_headers directives, which nginx silently ignores. They are now properly configured in nginx/xamxam.conf. enforced directly; see HTACCESS_TO_NGINX.md for the full migration log.

Intentionally omitted headers

X-XSS-Protection

This header was removed (was "1; mode=block").

Why: X-XSS-Protection is deprecated and removed from all modern browsers (Chrome 78+, Firefox never implemented it, Edge dropped it). Worse, the mode=block behaviour can be actively exploited to expose response bodies that would otherwise be blocked. Sending it provides no protection and may introduce risk.

Correct mitigation: a proper Content-Security-Policy header (now done for /admin/; public-page CSP is todo item #11).