Referrer-Policy: strict-origin X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN Header always set Strict-Transport-Security "max-age=15768000;includeSubdomains" X-Content-Type-Options: nosniff