Header always set X-FRAME-OPTIONS "DENY" Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block"