{ config, lib, ... }:

{
  options.sbruder.nginx.hardening.enable = lib.mkEnableOption "nginx hardening";

  config = lib.mkIf config.sbruder.nginx.hardening.enable {
    services.nginx.commonHttpConfig = ''
      map $scheme $hsts_header {
        https   "max-age=31536000";
      }
      add_header Strict-Transport-Security $hsts_header;

      add_header Referrer-Policy strict-origin;
      add_header X-Content-Type-Options nosniff;
      add_header X-Frame-Options SAMEORIGIN;
    '';
  };
}