# X-Frame-Options is to prevent from clickJacking attack
add_header X-Frame-Options SAMEORIGIN;

# disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter
add_header X-XSS-Protection "1; mode=block";

# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

add_header Referrer-Policy "no-referrer-when-downgrade";

# Enables response header of "Vary: Accept-Encoding"
gzip_vary on;