fix README

README.md

@@ -25,7 +25,7 @@ docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -e SERVER_NAME=www.you
 
 Let's Encrypt needs port 80 to be open to request and sign certificates but nginx will only listen on port 443.
 
-## List of variables
+## List of environment variables
 
 ### nginx security
 *SERVER_TOKENS*  
@@ -70,9 +70,20 @@ More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Con
 *REFERRER_POLICY*  
 Values : no-referrer | no-referrer-when-downgrade | origin | origin-when-cross-origin | same-origin | strict-origin | strict-origin-when-cross-origin | unsafe-url  
 Default value : no-referrer  
+Policy to be used for the Referer header.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).
 
+*FEATURE_POLICY*  
+Values : <directive> <allow list>  
+Default value : accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'  
+Tells the browser which features can be used on the website.  
+More info [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
 
-*TODO : list variables, default value, explanation, ...*
+*COOKIE_FLAGS*  
+Values : * HttpOnly | MyCookie secure SameSite | ...  
+Default value : * HttpOnly  
+Adds some security to the cookies set by the server.  
+Accepted value can be found [here](https://github.com/AirisX/nginx_cookie_flag_module).
 
 ## TODO
 - File permissions hardening