# X-Frame-Options is an HTTP header that allows sites control over how your site may be framed within an iframe
# https://infosec.mozilla.org/guidelines/web_security#x-frame-options
add_header X-Frame-Options DENY;

# send referrer, but only on requests to the same origin
# https://infosec.mozilla.org/guidelines/web_security#referrer-policy
add_header Referrer-Policy same-origin;

# This header enables the Cross-site scripting (XSS) filter
# https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
add_header X-XSS-Protection "1; mode=block";

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
add_header X-Content-Type-Options nosniff;