Updates following #557 PR review

Author: fernandinand

scripts/wordlist.txt

@@ -254,6 +254,7 @@ spatialindex
 spatialite
 sqlite
 ssl
+SSL
 subfolder
 subfolders
 subproject

src/server/security/index.md

@@ -1,12 +1,12 @@
 # Secure Mergin Maps installation
 
 ::: warning
-This sections aims to provide some guidelines and a minimalistic example on how to secure a Mergin Maps deployment.
+This sections aims to provide some guidelines and a minimalistic example on how to secure a <MainPlatformName /> deployment.
 
 Further security enhancements should be implemented by experts in accordance to cybersecurity policies in place.
 
 :::
-For security and privacy reasons Mergin Maps deployments should enable HTTPS secured connection via certificate file.
+For security and privacy reasons <MainPlatformName /> deployments should enable HTTPS secured connection via certificate file.
 
 We provide a template configuration file <GitHubRepo id="MerginMaps/server/blob/master/ssl-proxy.conf" desc="ssl-proxy.conf" />as base for your configuration.
 
@@ -35,15 +35,31 @@ Next, you need to point your certificate files to NGINX configuration. This is d
 
 The above example uses automated keys generated by CertBot. For more information, visit [CertBot](https://certbot.eff.org/instructions) website and check how you can generate your own keys.
 
-Lastly, adjust the provided NGINX `docker compose` deployment file on the <GitHubRepo id="MerginMaps/server/blob/master/docker-compose.yml" desc="proxy service section" />
+Some extra security settings for HTTP headers are provided. Please review them and update in accordance to your requirements.
 
-``` shell
-       - "8080:8080"
-     volumes:
-       - ./projects:/data  # map data dir to host
--      - ./nginx.conf:/etc/nginx/conf.d/default.conf
-+      - ./ssl-proxy.conf:/etc/nginx/conf.d/default.conf
-       - ./logs:/var/log/nginx/
-     networks:
-       - merginmaps
+```shell
+        # Prevent crawlers from indexing and following links for all content served from the mergin app
+        add_header X-Robots-Tag "none";
+
+        # Protect against clickjacking iframe
+        add_header Content-Security-Policy "frame-ancestors 'self';" always;
+
+        # Add a HSTS policy to prevent plain http from browser
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        # Set cookies security flags
+        proxy_cookie_flags ~ secure httponly samesite=strict;
+
+        location / {
+            root /var/www/html;
+
+            # The lines below were copied from application proxy
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            # we don't want nginx trying to do something clever with
+            # redirects, we set the Host: header above already.
+            proxy_redirect off;
+            proxy_pass http://app_server;
+        }
 ```