add_header Strict-Transport-Security max-age=31536000; #356 days
add_header X-Frame-Options DENY;
“HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using secure connections only (such as HTTPS).” (wikipedia)
This means, that for 365 days a web browser will always use HTTPS before HTTP. Therefore a man-in-the-middle attack is not possible.