You are looking at documentation for an older release. Not what you want? See the current release documentation.
Add the following line in the http or server part of your Nginx configuration :
...
# XSS Protection
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection 1;
add_header Content-Security-Policy "frame-ancestors 'self'"
...