Table of contents
server {
listen 80;
server_name 198.255.25.1;
root /sites/demo;
location = /thumb.png {
add_header my_header "hello world";
# test the custom header: curl https://domain.com/thumb.png
# get response header: `my_header: hello world`
add_header Cache_Control public;
add_header Pragma public;
add_header Vary Accept-Enconding;
expires 60m; # case sensitive M/m: 1M = 1 month, 60m = 60 minutes;
}
location ~* \.(css|js|jpg|png) {
access_log off; # No log on static request
}
}
add_header Access-Control-Allow-Origin *;
add_header X-Frame-Options SAMEORIGIN; # CORS header, same origin
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Last-Modified $date_gmt;
CROS - simple requests
location / {
if ($request_method ~* "(GET|POST)") {
add_header "Access-Control-Allow-Origin" *;
}
}
Preflight request
if ($request_method = OPTIONS ) {
add_header "Access-Control-Allow-Origin" *;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
return 200;
}
Server block example
server {
listen 80;
server_name 198.255.25.1;
root /sites/demo;
location = /thumb.png {
add_header my_header "hello world";
add_header Cache_Control public;
add_header Pragma public;
add_header Vary Accept-Enconding;
expires 60m;
# max-age is relating to expires;
# 1M = 1 month, 60m = 60 minutes;
}
location ~* \.(css|js|jpg|png) {
access_log off;
}
}