xamxam/nginx/docs/SECURITY_HEADERS.md

Security Headers — nginx/posterg.conf

Headers in use (main server block — all pages)

Header	Value	Purpose
X-Frame-Options	SAMEORIGIN	Prevent clickjacking
X-Content-Type-Options	nosniff	Prevent MIME-type sniffing
Referrer-Policy	strict-origin-when-cross-origin	Limit referrer leakage
Permissions-Policy	geolocation=(), microphone=(), camera=()	Disable unused browser APIs

Headers in use (/admin/ location block)

Header	Value	Purpose
Content-Security-Policy	default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';	Restrict resource origins; block embedding
X-Robots-Tag	noindex, nofollow	Prevent search-engine indexing of admin

These were previously declared in public/admin/.htaccess as Apache mod_headers directives, which nginx silently ignores. They are now properly configured in nginx/posterg.conf. enforced directly; see HTACCESS_TO_NGINX.md for the full migration log.

Intentionally omitted headers

X-XSS-Protection

This header was removed (was "1; mode=block").

Why: X-XSS-Protection is deprecated and removed from all modern browsers (Chrome 78+, Firefox never implemented it, Edge dropped it). Worse, the mode=block behaviour can be actively exploited to expose response bodies that would otherwise be blocked. Sending it provides no protection and may introduce risk.

Correct mitigation: a proper Content-Security-Policy header (now done for /admin/; public-page CSP is todo item #11).

Pending headers

Header	Scope	Status
Content-Security-Policy	Public pages (non-admin)	⏳ todo item #11