add_header   Referrer-Policy 'no-referrer';
add_header   X-Content-Type-Options "nosniff" always;  
add_header   X-Frame-Options SAMEORIGIN always;  
add_header   X-XSS-Protection "1; mode=block" always;
add_header   Content-Security-Policy "upgrade-insecure-requests";