location ~* /\.(?!well-known\/) {
  deny all;
}

location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
  deny all;
}

add_header Cache-Control            "no-transform";
add_header Content-Security_policy  "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Referrer-Policy          "no-referrer-when-downgrade" always;
add_header X-Content-Type-Options   "nosniff" always;
add_header X-Frame-Options          "SAMEORIGIN" always;
add_header X-XSS-Protection         "1; mode=block" always;
# https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;