# Bad Header Protection
add_header X-Frame-Options           SAMEORIGIN;
add_header X-Content-Type-Options    nosniff;
add_header X-XSS-Protection          "1; mode=block";
add_header Referrer-Policy           "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";