diff --git a/roles/nextcloud-docker/files/nextcloud/web/nginx.conf b/roles/nextcloud-docker/files/nextcloud/web/nginx.conf
index 38eef81..1f5ce64 100644
--- a/roles/nextcloud-docker/files/nextcloud/web/nginx.conf
+++ b/roles/nextcloud-docker/files/nextcloud/web/nginx.conf
@@ -45,12 +45,17 @@ http {
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+	fastcgi_hide_header X-Powered-By;
+
+	
         root /var/www/html;
 
         location = /robots.txt {