add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
########
# The directive hereunder - add_header Content-Security-Policy ---- IS TYPED ON A SINGLE LINE ---- DO NOT ---- SPLIT DIRECTIVE OVER MULTIPLE LINES - IT WILL CREATE ERRORS
# If you are using a commercial theme, you will probably need to add additional urls to the CSP as your theme and plugins will need to load content from sources other than 
# your own web site
######## 
add_header Content-Security-Policy "default-src 'self' https://*.jsdelivr.net https://wp-themes.com https://*.cloudflare.com https://*.google.com https://*.googletagmanager.com https://*.google-analytics.com https://*.googleapis.com https://*.gstatic.com https://*.gravatar.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval'; img-src * data:; frame-src  'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self' ";
########
# Add Header Referrer-Policy
# If you rely on affiliate commissions etc, use "unsafe-url" otherwise your commissions may drop as urls may not be tracked correctly
# Otheriwse use no-referrer 
# Uncomment desired directive
######## 
add_header Referrer-Policy "no-referrer";
#add_header Referrer-Policy "unsafe-url";