# reduce XSS risks on modern browsers, for details see https://content-security-policy.com/ Header always set Referrer-Policy "same-origin" Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header set X-Permitted-Cross-Domain-Policies "none"