# Enable HTTP Strict Transport Security (HSTS) to force clients to # always connect via HTTPS (do not use if only testing) add_header Strict-Transport-Security "max-age=31536000;" always; # Enable cross-site filter (XSS) and tell browser to block detected # attacks add_header X-XSS-Protection "1; mode=block" always; # Prevent some browsers from MIME-sniffing a response away from the # declared Content-Type add_header X-Content-Type-Options "nosniff" always; # Disallow the site to be rendered within a frame (clickjacking # protection) add_header X-Frame-Options "DENY" always; # Indicate that we are serving http3 on port 443 add_header Alt-Svc 'h3=":443"; ma=864000';