location / {
    limit_except GET HEAD POST { deny all; }
  }
  • Enable sysctl based protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
  • Stop image hotlinking
location /images/ {
  valid_referers none blocked www.domain.com domain.com;
   if ($invalid_referer) {
     return   403;
   }
}
  • add_header X-Content-Type-Options nosniff;
  • add_header X-XSS-Protection "1; mode=block";
  • add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;