From a3560ef8d390405811d42655202c0f9c73854df4 Mon Sep 17 00:00:00 2001
From: Clement Michaud <clement.michaud34@gmail.com>
Date: Thu, 19 Oct 2017 21:51:22 +0200
Subject: [PATCH] Add possible security measures in README

---
 CONTRIBUTORS.md |  1 +
 README.md       | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 5ccc48b77..64d9b155c 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -4,3 +4,4 @@ who commit code to the project are encouraged to add their names
 here. Please keep the list sorted by first names
 
 Clement Michaud <clement.michaud34@gmail.com>
+Antoine Favre <@n4kre>
diff --git a/README.md b/README.md
index 383080f86..c3f27d909 100644
--- a/README.md
+++ b/README.md
@@ -221,6 +221,28 @@ that the attacker must also require the certificate to retrieve the cookies.
 Note that using [HSTS] has consequences. That's why you should read the blog
 post nginx has written on [HSTS].
 
+### More protections measures
+
+You can also apply the following headers to your nginx configuration for
+improving security. Please read the documentation of those headers before
+applying them blindly.
+
+```
+# We don't want any credentials / TOTP secret key / QR code to be cached by
+# the client
+add_header Cache-Control "no-store";
+add_header Pragma "no-cache";
+
+# Clickjacking / XSS protection
+
+# We don't want Authelia's login page to be rendered within a <frame>, 
+# <iframe> or <object> from an external website.
+add_header X-Frame-Options "SAMEORIGIN";
+
+# Block pages from loading when they detect reflected XSS attacks.
+add_header X-XSS-Protection "1; mode=block";
+```
+
 ## Documentation
 ### Authelia configuration
 The configuration of the server is defined in the file