also add security headers to nginx responses

Findus23 · Findus23 · commit 75f5598212bb · 2019-06-20T20:52:00.000+02:00
thanks to @J0WI (#52)
diff --git a/sites-available/matomo.conf b/sites-available/matomo.conf
@@ -14,15 +14,15 @@ server {
 
     ## uncomment if you want to enable HSTS with 6 months cache
     ## ATTENTION: Be sure you know the implications of this change (you won't be able to disable HTTPS anymore)
-    #add_header Strict-Transport-Security max-age=15768000;
+    #add_header Strict-Transport-Security max-age=15768000 always;
 
     ## replace with your SSL certificate
     ssl_certificate /etc/letsencrypt/live/matomo.example.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/matomo.example.com/privkey.pem;
 
     include ssl.conf; # if you want to support older browsers, please read through this file
 
-    add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance
+    add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
 
     root /var/www/matomo/; # replace with path to your matomo instance
 
