How privacy-friendly is your site?

So /r/privacy pointed me to an awesome tool that taught me about fancy new privacy (and security) headers! I actually scored quite well when I first ran the analysis (0 cookies, 0 third-party requests, and 0 third-parties contacted), but improved my results by adding this to my Nginx configuration:

add_header Referrer-Policy no-referrer;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";

The “no-referrer” Referrer-Policy instructs the users' browser not to send referrer headers for any linked clicked from the site. Though this requires the browser to respect the instruction, most do (except, of course, Internet Explorer).

The “nosniff” X-Content-Type-Options stops browser sniffer. This reduces MIME type security risk by blocking things like stylesheets if they don’t match the appropriate type (e.g. text/css, instead of trying to guess the type).

The “SAMEORIGIN” X-Frame-Options just prevents your site from being put in a frame. Less chance of click-jacking.

The “1; mode=block” X-XSS-Protection does what it sounds like and enables XSS protection in the browser.

You may notice that I don’t have Public-Key-Pins set. Since it’s very easy to break your site with no recourse (except waiting it out) with this, after reading around I decided not to bother. I use Let’s Encrypt for my SSL certificates (which, by the way, is probably one of my favorite pieces of technology in the last five years), and they’re working on adding automatic support to certbot. My site doesn’t operate with any sensitive data (it doesn’t even set cookies), so it’s just unnecessary.

That said, I do use HTTP Strict Transport Security (HSTS) to ensure my site is never accessed over plaintext, but this approach is opt-in per website.

On the other side, you can and should use EFF’s HTTPS Everywhere browser extension to ensure the same thing, but via a whitelist in your browser. Before you ask, they already release as a WebExtension for Firefox. It’s actually quite easy to contribute new rules, I recently added my first for

There is simply no reason not to use encryption, especially with Let’s Encrypt. I also highly recommend analyzing your SSL configuration with this tool with SSL Labs.


When I moved to hosting on Netlify I was able to accomplish the same thing with:

  for = "/*"
    Referrer-Policy = "no-referrer"
    X-Content-Type-Options = "nosniff"
    X-Frame-Options = "deny"
    X-XSS-Protection = "1; mode=block"

However, I recently moved to Digital Ocean, and am wondering how to set this up again. Their “app spec” reference has “routes” but does not have “headers.”