From 4d99cbe87075fc9180b49f12ef45d51db2d3892d Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 6 Apr 2020 16:54:25 +0200
Subject: [PATCH] Add ref for security headers

---
 data/templates/nginx/security.conf.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc
index 272a29e26..28d12055b 100644
--- a/data/templates/nginx/security.conf.inc
+++ b/data/templates/nginx/security.conf.inc
@@ -20,6 +20,9 @@ ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECD
 #ssl_dhparam /etc/ssl/private/dh2048.pem;
 {% endif %}
 
+# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
+# https://wiki.mozilla.org/Security/Guidelines/Web_Security
+# https://observatory.mozilla.org/
 more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
 more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
 more_set_headers "X-Content-Type-Options : nosniff";