nginx: X-Xss-Protectio & -Content-Type-Options

via https://securityheaders.io/ via znc/znc#1168

etc/nginx/sites-enabled/host

@@ -34,6 +34,8 @@ server {
     add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
     add_header X-Frame-Options SAMEORIGIN;
     add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     # OCSP Stapling ---
     # fetch OCSP records from URL in ssl_certificate and cache them

etc/nginx/sites-enabled/rproxy

@@ -8,6 +8,8 @@ server {
     add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
     add_header X-Frame-Options SAMEORIGIN;
     add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     server_name something.example.org;
 

etc/nginx/sites-enabled/vhost

@@ -10,6 +10,8 @@ server {
     add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
     add_header X-Frame-Options SAMEORIGIN;
     add_header Content-Security-Policy upgrade-insecure-requests;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     root /var/www/vhostdir;
     index index.php index.html index.htm;