add Content-Security-Policy header

Add "add_header Content-Security-Policy "default-src 'self'" always;" and remove redundant headers

admin_manual/installation/nginx.rst

@@ -69,10 +69,9 @@ webroot of your nginx installation. In this example it is
       add_header Referrer-Policy "no-referrer" always;
       add_header X-Content-Type-Options "nosniff" always;
       add_header X-Download-Options "noopen" always;
-      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header Content-Security-Policy "default-src 'self'" always;
       add_header X-Permitted-Cross-Domain-Policies "none" always;
       add_header X-Robots-Tag "none" always;
-      add_header X-XSS-Protection "1; mode=block" always;
 
       # Remove X-Powered-By, which is an information leak
       fastcgi_hide_header X-Powered-By;
@@ -231,10 +230,9 @@ your nginx installation.
       add_header Referrer-Policy "no-referrer" always;
       add_header X-Content-Type-Options "nosniff" always;
       add_header X-Download-Options "noopen" always;
-      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header Content-Security-Policy "default-src 'self'" always;
       add_header X-Permitted-Cross-Domain-Policies "none" always;
       add_header X-Robots-Tag "none" always;
-      add_header X-XSS-Protection "1; mode=block" always;
 
       # Remove X-Powered-By, which is an information leak
       fastcgi_hide_header X-Powered-By;