add_header X-Content-Type-Options nosniff;

# please see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# add_header X-Frame-Options deny;
add_header X-Frame-Options SAMEORIGIN;

add_header X-XSS-Protection "1; mode=block";

add_header Referrer-Policy "no-referrer-when-downgrade";

# optional header - use it with care - you are warned!
# add_header Access-Control-Allow-Origin "*";