server_tokens off;
HSTS is a security feature that ensures connections to your server occur only over HTTPS, thereby mitigating risks associated with protocol downgrade attacks and improving overall security by enforcing secure connections.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. SAMEORIGIN - means that the page can only be embedded in a frame on a page with the same origin as itself.
add_header X-Frame-Options SAMEORIGIN;
Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
add_header X-Content-Type-Options nosniff;
Allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
add_header Referrer-Policy same-origin;
See https://www.ssllabs.com/ssltest/
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
Allows all kind of content as long as its origin is self, inline, eval
add_header Content-Security-Policy "default-src 'self'; frame-src 'self' *.google.com; frame-ancestors 'self' *.google.com; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.jsdelivr.net *.cloudflare.com *.jquery.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; img-src 'self' data: ; font-src 'self' *.gstatic.com *.cloudflare.com; connect-src 'self';";
Allows all device perms as long as its origin is self
add_header Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), speaker=(self), usb=(self), vibrate=(self), vr=(self)";