From 628718159f0a407081bba328ca7760132a2f3ef6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristhian=20Mart=C3=ADnez=20Ochoa?= <cristhian@qrokes.com>
Date: Mon, 18 Dec 2017 21:44:07 -0600
Subject: [PATCH] http header warning

Warning text for some HTTP headers.
---
 templates/nginx/common/headers-html.conf  | 3 +++
 templates/nginx/common/headers-https.conf | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/templates/nginx/common/headers-html.conf b/templates/nginx/common/headers-html.conf
index da64686..539cca4 100644
--- a/templates/nginx/common/headers-html.conf
+++ b/templates/nginx/common/headers-html.conf
@@ -1,3 +1,6 @@
 add_header Cache-Control "public, no-cache";
 add_header Referrer-Policy "unsafe-url";
+
+# The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.
+# https://content-security-policy.com/
 #add_header Content-Security-Policy " ";
diff --git a/templates/nginx/common/headers-https.conf b/templates/nginx/common/headers-https.conf
index 157a48e..70efc70 100644
--- a/templates/nginx/common/headers-https.conf
+++ b/templates/nginx/common/headers-https.conf
@@ -1,2 +1,5 @@
+# Be aware that inclusion in the preload list cannot easily be undone.
+# Don't request inclusion unless you're sure that you can support HTTPS for your entire site and all its subdomains the long term. 
+# https://hstspreload.org/
 #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 add_header Strict-Transport-Security "max-age=31536000";