more_set_headers "X-XSS-Protection: 0";
more_set_headers "X-Frame-Options: SAMEORIGIN";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
more_set_headers "Content-Security-Policy: $content_security_policy";

map $scheme $hsts_header {
    https "max-age=31536000; includeSubDomains; preload";
}

more_set_headers "Strict-Transport-Security: $hsts_header";