nginx: security headers

[seanho00]

• [x] Double-check if ok to enable HSTS on all domains
• [x] Determine desired spec of HSTS header
• [x] Determine whether security headers need to be re-included at each level of scope (http, server, location)
• [x] Refactor security headers for multiple inclusion if necessary

[seanho00]

OK to enable HSTS, but don't preload: that requires includeSubDomains, so HSTS on all subdomains.

[seanho00]

I currently include security headers at top level (http). As long as I don't set any headers in a subsequent level (server or location), the top-level security headers will be inherited:

http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header