# {{ ansible_managed }}

# Strict Transport Security (HSTS), Tell browsers to use only https (adding includeSubDomains would also force subdomains to use HSTS)
add_header Strict-Transport-Security "max-age=15552000; preload" always;

# Expect Certificate Transparency and -Stapling, Security measures for checking HTTPS-certificate validity/revocation
add_header Expect-CT 'enforce; max-age=86400;' always;
add_header Expect-Staple 'max-age=86400; preload' always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;