#
# Default Client Security Settings
# For protection against click-jacking, cross-site-request-forgery (CSRF) and
# cross-site-scripting (XSS) protection
#

# Tell clients not to load scripts and stylesheets unless the server indicates
# the correct MIME type, as files incorrectly detected as scripts or stylesheets
# may lead to XSS attacks.
add_header  X-Content-Type-Options 'nosniff' always;

# Tell clients not to render pages inside frames or iframes to avoid click-jacking.
add_header  X-Frame-Options 'DENY' always;

# Tell client to only send the 'Referer' header for resources on this same site.
#add_header  Referrer-Policy 'same-origin' always;

# Tell clients to never ever send the 'Referer' header.
add_header  Referrer-Policy 'no-referrer' always;

# Enable the Cross-site scripting (XSS) filter built into recent browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header  X-XSS-Protection '1; mode=block' always;

# Force the latest IE version
add_header  X-UA-Compatible 'IE=Edge' always;