admin-client/nginx/conf/includes/headers.conf
add_header Cache-Control "public, max-age=60";
add_header X-Robots-Tag "noindex, nofollow";
add_header Referrer-Policy no-referrer;
add_header X-Frame-Options "DENY";
add_header X-Permitted-Cross-Domain-Policies "none";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self'; connect-src ((api-domain)); frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; font-src 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self'; child-src 'none'; frame-src 'none'; worker-src 'none'; upgrade-insecure-requests";