# read more here http://tautt.com/best-nginx-configuration-for-security/

# add_header Server "mystartup/1.0" always;
  # config to don't allow the browser to render the page inside an frame or iframe
  # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
  # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
  # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  add_header X-Frame-Options SAMEORIGIN;

  # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
  # to disable content-type sniffing on some browsers.
  # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
  # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
  # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
  add_header X-Content-Type-Options nosniff;

  # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
  # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
  # this particular website if it was disabled by the user.
  # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  add_header X-XSS-Protection "1; mode=block";

  # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
  # you can tell the browser that it can only download content from the domains you explicitly allow
  # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  # https://www.owasp.org/index.php/Content_Security_Policy
  # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
  # directives for css and js(if you have inline css or js, you will need to keep it too).
  # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
  # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
  # add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;


    

server {
  listen 80;

  sendfile on;

  default_type application/octet-stream;
  # more_clear_headers Server; 
  # more_set_headers 'Server: Powered by Yondu';
  # don't send the nginx version number in error pages and Server header
  server_tokens off; 
  


  gzip on;
  gzip_http_version 1.1;
  gzip_disable      "MSIE [1-6]\.";
  gzip_min_length   256;
  gzip_vary         on;
  gzip_proxied      expired no-cache no-store private auth;
  gzip_types
      application/atom+xml
      application/javascript
      application/json
      application/ld+json
      application/manifest+json
      application/rss+xml
      application/vnd.geo+json
      application/vnd.ms-fontobject
      application/x-font-ttf
      application/x-web-app-manifest+json
      application/xhtml+xml
      application/xml
      font/opentype
      image/bmp
      image/svg+xml
      image/x-icon
      text/cache-manifest
      text/css
      text/plain
      text/vcard
      text/vnd.rim.location.xloc
      text/vtt
      text/x-component
      text/x-cross-domain-policy;
      # text/html is always compressed by gzip module
  gzip_comp_level   9;
  server_name  *.example.org;
  root /usr/share/nginx/html;

  # . files
  location ~ /\. {
    deny all;
  }
  # cache.appcache, your document html and data
  location ~* \.(?:manifest|appcache|html?|xml|json)$ {
    expires -1;
    # access_log logs/static.log; # I don't usually include a static log

 
  }
 

  # Media: images, icons, video, audio, HTC
  location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
    expires 1M;
    access_log off;
  
  }

  # location ~* (service-worker\.js)$ {
  #   add_header Cache-Control no-store, no-cache; 
  #   expires -1;
  #   proxy_no_cache 1;

  # }

  # CSS and Javascript
  location ~* /static/.*\.(?:css|js)$ {
    expires 1y;
    access_log off;
 
  }


  # location /service-worker.js {
  #     expires -1;
  #     add_header Cache-Control no-store, no-cache; 
  #     access_log off; 
  # }
 

  location / {
    try_files $uri $uri/ /index.html;
  }
  
}