fastcgi_hide_header      X-Powered-By;
fastcgi_hide_header      X-Runtime;
fastcgi_hide_header      X-Version;
add_header               X-Frame-Options SAMEORIGIN;
add_header               X-Content-Type-Options nosniff;
add_header               Content-Security-Policy "upgrade-insecure-requests";
add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";