From 5d16f6a8f26748d2faceacb0b699f2ee7d382f0b Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Thu, 2 Jan 2020 16:31:13 +0000
Subject: [PATCH] fix README

---
 README.md | 65 ++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 38 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index b2e1bea..815bc5f 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -e SERVER_NAME=www.you
 
 Let's Encrypt needs port 80 to be open to request and sign certificates but nginx will only listen on port 443.
 
-## List of variables
+## List of environment variables
 
 ### nginx security
 *SERVER_TOKENS*  
@@ -33,46 +33,57 @@ Values : on | off
 Default value : off  
 If set to on, nginx will display server version in Server header and default error pages.
 
-*HEADER_SERVER*
-Values : yes | no
-Default value : no
+*HEADER_SERVER*  
+Values : yes | no  
+Default value : no  
 If set to no, nginx will remove the Server header in HTTP responses.
 
-*ALLOWED_METHODS*
-Values : allowed HTTP methods separated with | char
-Default value : GET|POST|HEAD
+*ALLOWED_METHODS*  
+Values : allowed HTTP methods separated with | char  
+Default value : GET|POST|HEAD  
 Only the HTTP methods listed here will be accepted by nginx. If not listed, nginx will close the connection.
 
-*DISABLE_DEFAULT_SERVER*
-Values : yes | no
-Default value : no
+*DISABLE_DEFAULT_SERVER*  
+Values : yes | no  
+Default value : no  
 If set to yes, nginx will only respond to HTTP request when the Host header match the SERVER_NAME. For example, it will close the connection if a bot access the site with direct ip.
 
 ### Security headers
-*X_FRAME_OPTIONS*
-Values : DENY | SAMEORIGIN | ALLOW-FROM https://www.website.net | ALLOWALL
-Default value : DENY
-Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks.
+*X_FRAME_OPTIONS*  
+Values : DENY | SAMEORIGIN | ALLOW-FROM https://www.website.net | ALLOWALL  
+Default value : DENY  
+Policy to be used when the site is displayed through iframe. Can be used to mitigate clickjacking attacks. 
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
 
-*X_XSS_PROTECTION*
-Values : 0 | 1 | 1; mode=block
-Default value : 1; mode=block
-Policy to be used when XSS is detected by the browser. Only works with Internet Explorer.
-More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
+*X_XSS_PROTECTION*  
+Values : 0 | 1 | 1; mode=block  
+Default value : 1; mode=block  
+Policy to be used when XSS is detected by the browser. Only works with Internet Explorer.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).  
 
-*X_CONTENT_TYPE_OPTIONS*
-Values : nosniff
-Default value : nosniff
-Tells the browser to be strict about MIME type.
+*X_CONTENT_TYPE_OPTIONS*  
+Values : nosniff  
+Default value : nosniff  
+Tells the browser to be strict about MIME type.  
 More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options).
 
-*REFERRER_POLICY*
-Values : no-referrer | no-referrer-when-downgrade | origin | origin-when-cross-origin | same-origin | strict-origin | strict-origin-when-cross-origin | unsafe-url
-Default value : no-referrer
+*REFERRER_POLICY*  
+Values : no-referrer | no-referrer-when-downgrade | origin | origin-when-cross-origin | same-origin | strict-origin | strict-origin-when-cross-origin | unsafe-url  
+Default value : no-referrer  
+Policy to be used for the Referer header.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
 
+*FEATURE_POLICY*  
+Values : <directive> <allow list>  
+Default value : accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'  
+Tells the browser which features can be used on the website.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
 
-*TODO : list variables, default value, explanation, ...*
+*COOKIE_FLAGS*  
+Values : * HttpOnly | MyCookie secure SameSite | ...  
+Default value : * HttpOnly  
+Adds some security to the cookies set by the server.  
+Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
 
 ## TODO
 - File permissions hardening