I'll be writing soon post about how to achieve A+ on securityheaders.com and 105 points on Mozilla observatory for very simple static website with no JavaScript (just locally served css and html) and also >95% Google page speed rating. I will also include nginx headers used and gzip compression for copy/paste purposes.