From 6ec31b6344ae128bafb5fb8293a68b9485dbf0de Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Thu, 21 Dec 2023 12:32:57 +0100
Subject: [PATCH] add misc recommendations about nginx

There is not any section about web servers.
So you should probably create a section
about web servers.
---
 nginx.md | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 nginx.md

diff --git a/nginx.md b/nginx.md
new file mode 100644
index 0000000..2a09c3d
--- /dev/null
+++ b/nginx.md
@@ -0,0 +1,45 @@
+# Secure nginx
+
+Global resource: [webdock.io](https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache)
+
+* [Disable server tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
+
+  ```nginx
+  server_tokens off;
+  ```
+
+* [Content Security Policy Reference](https://content-security-policy.com/)
+
+  ```nginx
+  add_header Content-Security-Policy "default-src 'self';" always;
+  ```
+
+* [X-frame-options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#sameorigin)
+
+  ```nginx
+  add_header X-Frame-Options SAMEORIGIN always;
+  ```
+
+* [X-Xss-Protection: block](https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/proxy-response-headers/)
+
+  ```nginx
+  add_header X-Xss-Protection "1; mode=block" always;
+  ```
+
+* [strict origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#strict-origin)
+
+  ```nginx
+  add_header Referrer-Policy "strict-origin" always;
+  ```
+
+* [Permissions Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy)
+
+  ```nginx
+  add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
+  ```
+
+* [Content sniffing](https://en.wikipedia.org/wiki/Content_sniffing)
+
+  ```nginx
+  add_header X-Content-Type-Options nosniff always;
+  ```