header("Content-Security-Policy: default-src 'self'; script-src 'self'"); header("X-Content-Type-Options: nosniff"); header("X-Frame-Options: SAMEORIGIN"); header("X-XSS-Protection: 0"); // modern browsers rely on CSP instead