add_header X-XSS-Protection 1;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options 'nosniff';
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self'";
add_header X-Permitted-Cross-Domain-Policies all;
add_header X-Download-Options value ;