# Prevent browsers from incorrectly detecting non-scripts as scripts
# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
add_header X-Content-Type-Options "nosniff";

# prevent clickjacking: https://www.owasp.org/index.php/Clickjacking
# https://geekflare.com/add-x-frame-options-nginx/
# https://infosec.mozilla.org/guidelines/web_security#x-frame-options
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";