X-Content-Type-Options:nosniff
X-Xss-Protection:1; mode=block
Referrer-Policy:strict-origin-when-cross-origin