feat: Add security header

https://securityheaders.com/

nginx-default.conf

@@ -28,6 +28,19 @@ server {
     # https://www.justegeek.fr/proteger-un-peu-plus-son-site-avec-la-balise-x-content-type-options/
     add_header X-Content-Type-Options "nosniff";
 
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Frame-Options DENY;
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+    # https://scotthelme.co.uk/content-security-policy-an-introduction/
+    add_header Content-Security-Policy "script-src 'self'";
+
+    # https://scotthelme.co.uk/a-new-security-header-feature-policy/
+    #add_header Feature-Policy "vibrate none";
+
+    # https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
     #Caching (save html pages for 7 days, rest as long as possible, no caching on frontpage)
     expires $expires;