So /r/privacy pointed me to an awesome tool that taught me about fancy new privacy (and security) headers! I actually scored quite well when I first ran the analysis (0 cookies, 0 third-party requests, and 0 third-parties contacted), but improved my results by adding this to my Nginx configuration:
add_header Referrer-Policy no-referrer;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
The “no-referrer” Referrer-Policy instructs the users' browser not to send
referrer headers for any linked clicked from the site. Though this requires the
browser to respect the instruction, most do (except, of course, Internet
Explorer).
The “nosniff” X-Content-Type-Options stops browser sniffer. This reduces MIME
type security risk by blocking things like stylesheets if they don’t match the
appropriate type (e.g. text/css, instead of trying to guess the type).
The “SAMEORIGIN” X-Frame-Options just prevents your site from being put in a
frame. Less chance of click-jacking.
The “1; mode=block” X-XSS-Protection does what it sounds like and enables XSS
protection in the browser.
You may notice that I don’t have Public-Key-Pins set. Since it’s very easy to
break your site with no recourse (except waiting it out) with this, after reading
around I decided not to bother. I use Let’s Encrypt
for my SSL certificates (which, by the way, is probably one of my favorite
pieces of technology in the last five years), and they’re working on adding
automatic support to certbot. My site doesn’t operate with any sensitive data
(it doesn’t even set cookies), so it’s just unnecessary.
That said, I do use HTTP Strict Transport Security (HSTS) to ensure my site is never accessed over plaintext, but this approach is opt-in per website.
On the other side, you can and should use EFF’s HTTPS Everywhere browser extension to ensure the same thing, but via a whitelist in your browser. Before you ask, they already release as a WebExtension for Firefox. It’s actually quite easy to contribute new rules, I recently added my first for calculator.net.
There is simply no reason not to use encryption, especially with Let’s Encrypt. I also highly recommend analyzing your SSL configuration with this tool with SSL Labs.
Update
When I moved to hosting on Netlify I was able to accomplish the same thing with:
[[headers]]
for = "/*"
[headers.values]
Referrer-Policy = "no-referrer"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "deny"
X-XSS-Protection = "1; mode=block"
However, I recently moved to Digital Ocean, and am wondering how to set this up again. Their “app spec” reference has “routes” but does not have “headers.”