Short description
$ curl -I https://thalia.nu/
HTTP/2 200
server: nginx/1.14.0 (Ubuntu)
date: Fri, 12 Oct 2018 22:50:12 GMT
content-type: text/html; charset=utf-8
content-length: 23238
vary: Accept-Language, Cookie
content-language: en
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
set-cookie: csrftoken=kZ2w81nKFw1jew42B0ZKea5IK5s4mjqZDTdQBZv44qOv25WzCjF7eOMISrtZg58H; expires=Fri, 11-Oct-2019 22:50:12 GMT; Max-Age=31449600; Path=/; Secure
set-cookie: sessionid=jjwncj5k4nuz6fj5tvlajtzre0xsxrvj; expires=Fri, 26-Oct-2018 22:50:12 GMT; HttpOnly; Max-Age=1209600; Path=/; Secure
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000; includeSubDomains; preloadThe x-frame-options, x-content-type-options and x-xss-protection headers are set twice (x-frame-options with two different values). These headers are set by both nginx and Django.
It would be best to let nginx handle the HTTP headers.