# Keep legacy browser-era headers out of the default security baseline. They are
# still occasionally requested by enterprise scanners, but modern browsers
# rarely depend on them.
add_header	X-Download-Options	noopen always;
add_header	X-Permitted-Cross-Domain-Policies	none always;