Remove Unnecessary Trailing SemicolonNo need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/) for getting on the preload list to fail with an error about the semicolon.
Use Cache-Control max-age instead of Expires headersCache-Control max-age was introduced in HTTP/1.1 over ten years ago
and is preferred to Expires. This replaces all expiry dates with an
equivalent max-age in seconds.
Remove references to Cache-Control publicA previous commit removed some, but missed these. Where a location
directive was using Expires to set a future expiry in conjunction
with Cache-Control public, I have replaced the time with an equal
Furthermore, Google's web performance guide says that "public" is
implicit if there is a max-age specified.
Always add security-relevant headers to the response, regardless of the response code (implements #147)From nginx' add_header documentation:
add_header Adds the specified field to a response header provided that
the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
At least for all security-relevant headers this should not be the case
and the header should always be added.