After I learned about Mozilla’s tool to test how secure your site is, I ran it on my site and received an “F”.

After some trial & error and searching around, I came up with the following to be placed in my Nginx server{...} block:

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Content-Security-Policy "default-src 'self';";

Now I am receiving an “A+” from the observatory!

I also went to Google’s submission page to have your site put on the HSTS preloaded list, so that all users of Google Chrome access your site through HTTPS by default.