nginx setup doc improvement to avoid duplicated headers

README.md

@@ -254,10 +254,11 @@ server {
     }
     
     location / {
-        add_header Access-Control-Allow-Origin $xssorigin;
         proxy_http_version 1.1;
         proxy_set_header Connection "";
         proxy_pass http://127.0.0.1:8080;
+        proxy_hide_header Access-Control-Allow-Origin;
+        add_header Access-Control-Allow-Origin $xssorigin;
     }
 }
 ```
@@ -266,9 +267,9 @@ One further change you might want to make to the file above is the `add_header A
 my own Spothole server to make sure that other third-party web-based software can get the data from my instance, and applies to any endpoint underneath `/api`. If you want
 *your* Spothole instance to be set up the same way, so that others can write software in JavaScript that can access it,
 leave this intact. But if you want your Spothole instance to only be usable by scripts running on the web server you write,
-you can remove this block. (Note that this doesn't stop other people writing *non-web-based* software that accesses your
+you can remove this line. (Note that this doesn't stop other people writing *non-web-based* software that accesses your
 Spothole API—the enforcement of cross-origin headers only happens within the user's browser. If you need to lock your
-instance down so that no-one else can access it with *any* software, that's an aspect of nginx config that you will need
+instance down so that no-one else can access it with *any* software, that's an aspect of nginx or firewall config that you will need
 to find help with elsewhere.)
 
 Now, make a symbolic link to enable the site: