Fix Missing Security Headers on Nginx

Nginx does not ship secure defaults for HSTS, Content-Security-Policy, or X-Frame-Options. Most breaches start with a missing or weak header set, so production server { } blocks should declare explicit policies instead of relying on application code.

Use add_header (and always where you need headers on error responses) for strict transport, framing, referrer, and permissions. Place policies once per server name, then reload with nginx -t before systemctl reload nginx.

Apache and Cloudflare guides cover the same controls on other stacks. HeadersFixer scans your live URL and outputs copy-paste snippets matched to what your site actually needs.