nginx header security

add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "<policy>";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header Public-Key-Pins 'pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer";