# Global security headers - apply everywhere

# We do not set clipboard-write() here, because it is very commonly used
proxy_hide_header Strict-Transport-Security;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;

proxy_hide_header Permissions-Policy;
add_header Referrer-Policy "same-origin" always;

proxy_hide_header X-Content-Type-Options;
add_header X-Content-Type-Options "nosniff" always;

proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;

# Obsolete and replaced by Content-Security-Policy
# Only here to pass Hardenize checks
proxy_hide_header X-XSS-Protection;
add_header X-XSS-Protection "0" always;