diff --git a/devdocs/todo.txt b/devdocs/todo.txt
index 68dd0efe..ce9bf8c4 100644
--- a/devdocs/todo.txt
+++ b/devdocs/todo.txt
@@ -1,8 +1,10 @@
 # now
 
+proper most secure nginx settings for all ayanova installs?
+keepass proper way to use and how to split for security etc?
 trialing plan for setting up server, do we charge?  how much, what questions do we need answered to set up droplet
 can a site be in a sufolder so I don't need a domain name or key, just hang them all off helloayanova.com/s/siteb?
-	proxy if path?
+	proxy if path? https://stackoverflow.com/questions/26449466/nginx-proxy-pass-to-a-directory
 
 
 Key name and passphrase to unlock it
@@ -196,7 +198,9 @@ todo: 2 or 3 category team view color based on user color?
 todo: 2 create workorder, quote, pm from customer record??
 	was that a v7 feature? make it so? v.next?
 
-
+todo: 2/3 cant' use CSP with ayanova without opening it up considerably and allowing unsafe-inline
+	sounds like it's theoretically possible to work but the fontawesome fonts would need to be static or something and styles would need a nonce and etc
+	
 todo:3 profiler page has columns: Request Start 	Response Start 	Dom Complete which are all empty, somethjing new added that needs to be disabled maybe??
 
 
diff --git a/docs/8.0/ayanova/docs/ops-install-linux-server.md b/docs/8.0/ayanova/docs/ops-install-linux-server.md
index 4c7445a5..41eb0369 100644
--- a/docs/8.0/ayanova/docs/ops-install-linux-server.md
+++ b/docs/8.0/ayanova/docs/ops-install-linux-server.md
@@ -379,6 +379,12 @@ If you are already using NGINX for other services then a site configuration file
 server {
         server_name   ayanova.example.com www.ayanova.example.com;
     location / {
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin" always;
+
         proxy_pass         http://127.0.0.1:7575;
         proxy_http_version 1.1;
         proxy_set_header   Upgrade $http_upgrade;
@@ -434,6 +440,12 @@ server {
     listen        80;
     #server_name   ayanova.example.com;
     location / {
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin" always;
+
         proxy_pass         http://127.0.0.1:7575;
         proxy_http_version 1.1;
         proxy_set_header   Upgrade $http_upgrade;
@@ -519,6 +531,11 @@ The NGINX default config file will now have new entries looking something like t
 server {
         server_name   ayanova.example.com;
     location / {
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin" always;
         proxy_pass         http://127.0.0.1:7575;
         proxy_http_version 1.1;
         proxy_set_header   Upgrade $http_upgrade;