nginx.conf

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  # enable this if you run it without docker
  # listen 443 ssl default_server;
  # listen [::]:443 ssl default_server;

  # here comes your server name if you run it without docker
  server_name _;

  # Security Headers
  # disable server version in server header
  server_tokens off;
  # enable HSTS
  add_header Strict-Transport-Security "max-age=63072000";
  # enable CSP (it would be better to remove unsafe inline, but then sorceway doesn't work)
  add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' https://www.xing.com:443 https://profile-images.xing.com:443;";
  # disable clickjacking
  add_header X-Frame-Options "SAMEORIGIN";
  # disable sniffing mime types
  add_header X-Content-Type-Options "nosniff";
  # disable leaking sensitive information in url as referrer
  add_header Referrer-Policy "no-referrer";
  # disable xss
  add_header X-XSS-Protection "1; mode=block";

  # without docker the root may be fixed
  location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
    try_files $uri $uri/ /index.htm;
  }

  #  access_log /dev/stdout;
  #  error_log  /dev/stderr;
}