# The X-Frame-Options header indicates whether a browser should be allowed
# to render a page within a frame or iframe.
add_header X-Frame-Options "SAMEORIGIN" always;

# MIME type sniffing security protection
# There are very few edge cases where you wouldn't want this enabled.
add_header X-Content-Type-Options "nosniff" always;

# The X-XSS-Protection header is used by Internet Explorer version 8+
# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
add_header X-XSS-Protection "1; mode=block" always;

# Prevent mobile network providers from modifying your site
#
# (!) If you are using `ngx_pagespeed`, please note that setting
# the `Cache-Control: no-transform` response header will prevent
# `PageSpeed` from rewriting `HTML` files, and, if
# `pagespeed DisableRewriteOnNoTransform off` is not used, also
# from rewriting other resources.
#
# https://developers.google.com/speed/pagespeed/module/configuration#notransform
add_header "Cache-Control" "no-transform";

# Force the latest IE version
add_header "X-UA-Compatible" "IE=Edge";