Nathaniels-MacBook-Pro:~ nathanielsuchy$ curl -I --user-agent "Chrome" https://sinfulforums.net
HTTP/1.1 200 OK
Date: Wed, 06 Sep 2017 14:49:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dc85851e0e2b6e528d21354f154b21eaa1504709365; expires=Thu, 06-Sep-18 14:49:25 GMT; path=/; domain=.sinfulforums.net; HttpOnly
Set-Cookie: mybb[lastvisit]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/; domain=.sinfulforums.net; Secure
Set-Cookie: mybb[lastactive]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/; domain=.sinfulforums.net; Secure
Set-Cookie: sid=d178e833b5cc6ad71cd9912c5282717c; path=/; domain=.sinfulforums.net; HttpOnly; Secure
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'self' data:; frame-src 'self' https://www.google.com:443 https://static.addtoany.com:443 https://www.youtube.com:443; img-src * data:; style-src 'self' 'unsafe-inline' https://static.addtoany.com:443 https://maxcdn.bootstrapcdn.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://analytics.maimail.co:443 https://www.google.com:443 https://www.gstatic.com:443 https://www.google-analytics.com:443 https://ajax.googleapis.com:443 https://www.googletagmanager.com:443 https://maxcdn.bootstrapcdn.com:443 https://static.addtoany.com:443 https://ajax.cloudflare.com:443; connect-src 'self' https://cors-anywhere.herokuapp.com:443; font-src 'self' data: https://fonts.gstatic.com:443; report-uri https://sinfulforums.report-uri.io/r/default/csp/enforce;
X-We-Are-Hiring: If you are seeing this message maybe you should be working for us. Private Message AdamJenaine for more information.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare-nginx
CF-RAY: 39a23c1f0ffd56f9-IAD
My headers are above if that provides any inspiration. You can use the following nginx config options to get similar headers:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
I'm not including my content security policy as it's huge and might cause problems on your board if you don't understand what you're configuring.