change nginx headers

modules/services/nginx-conf.nix

@@ -77,6 +77,8 @@ in {
       in ''
         lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
 
+        # add hsts header with preloading to https reqeusts
+        # adding this header to http requests is 
         map $scheme $hsts_header {
             https   "max-age=31536000; includeSubdomains; preload";
         }
@@ -84,14 +86,22 @@ in {
 
         # Enable CSP for your services.
         # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-        # ^ this above breaks forgejo/gitea so
 
+        # Minimize information leaked to other domains
         add_header 'Referrer-Policy' 'origin-when-cross-origin';
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
+
+        # Disable embedding as a frame
+        #add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        #add_header X-Content-Type-Options nosniff;
+
+        # Enable XSS protection of the browser.
+        # May be unnecessary when CSP is configured properly (see above)
+        #add_header X-XSS-Protection "1; mode=block";
 
         # This might create errors
-        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+        #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 
         ${realIpsFromList cfipv4}
         ${realIpsFromList cfipv6}