Add basic nginx security headers

This header enables the Cross-site scripting (XSS) filter built into most recent web browsers:

add_header X-XSS-Protection "1; mode=block";

This header doesn’t allow the browser to render the page inside a frame or iframe:

add_header X-Frame-Options "deny";

This header disabled content-type sniffing on most browsers:

add_header X-Content-Type-Options "nosniff";