From a5ca47e88d02a7974dfad1e957559359276c7883 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sun, 25 Oct 2015 09:18:34 +0200
Subject: [PATCH] nginx: X-Xss-Protectio & -Content-Type-Options

via https://securityheaders.io/ via znc/znc#1168
---
 etc/nginx/sites-enabled/host   | 2 ++
 etc/nginx/sites-enabled/rproxy | 2 ++
 etc/nginx/sites-enabled/vhost  | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/etc/nginx/sites-enabled/host b/etc/nginx/sites-enabled/host
index cebbac63..f784f3e6 100644
--- a/etc/nginx/sites-enabled/host
+++ b/etc/nginx/sites-enabled/host
@@ -34,6 +34,8 @@ server {
     add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
     add_header X-Frame-Options SAMEORIGIN;
     add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     # OCSP Stapling ---
     # fetch OCSP records from URL in ssl_certificate and cache them
diff --git a/etc/nginx/sites-enabled/rproxy b/etc/nginx/sites-enabled/rproxy
index d8c2a199..652ececc 100644
--- a/etc/nginx/sites-enabled/rproxy
+++ b/etc/nginx/sites-enabled/rproxy
@@ -8,6 +8,8 @@ server {
     add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
     add_header X-Frame-Options SAMEORIGIN;
     add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     server_name something.example.org;
 
diff --git a/etc/nginx/sites-enabled/vhost b/etc/nginx/sites-enabled/vhost
index c27d1dcf..1f0264d9 100644
--- a/etc/nginx/sites-enabled/vhost
+++ b/etc/nginx/sites-enabled/vhost
@@ -10,6 +10,8 @@ server {
     add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
     add_header X-Frame-Options SAMEORIGIN;
     add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     root /var/www/vhostdir;
     index index.php index.html index.htm;