bundles/nginx: hide content security headers coming from php

bundles/nginx/files/site_template

@@ -149,9 +149,16 @@ server {
 %  endfor
 % endif
 % if php:
-    location ~ \.php$ {
+    location ~ \.php(?:$|/) {
         include fastcgi.conf;
         fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
+% if not do_not_set_content_security_headers:
+        fastcgi_hide_header Referrer-Policy;
+        fastcgi_hide_header X-Frame-Options;
+        fastcgi_hide_header X-Content-Type-Options;
+        fastcgi_hide_header X-XSS-Protection;
+% endif
+        fastcgi_hide_header Permissions-Policy;
     }
 %  if not max_body_size:
     client_max_body_size 5M;