## always sourced by include snip.d/http-security-headers

include snip.d/http-proxy-hide-security-headers;

add_header  X-XSS-Protection  "1; mode=block"  always;
add_header  X-Content-Type-Options  "nosniff"  always;
# add_header  Referrer-Policy  "strict-origin-when-cross-origin"  always;
add_header  Referrer-Policy  "no-referrer-when-downgrade"  always;
add_header  Strict-Transport-Security  "max-age=31536000; includeSubDomains; preload" always;
add_header  Permissions-Policy  "interest-cohort=()"  always;

## obsolete
add_header  X-Frame-Options  "SAMEORIGIN"  always;