[[headers]]
for = '/**'
[headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options = "nosniff"
    X-XSS-Protection = "1; mode=block"
    Content-Security-Policy = """\
        default-src 'self'; \
        script-src 'self' \
            https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js \
            https://cdn.jsdelivr.net/npm/flexsearch@0.7.21/dist/flexsearch.bundle.js \
            https://utteranc.es/client.js; \
        style-src 'self' localhost:1313 https://utteranc.es https://fonts.googleapis.com https://www.youtube.com; \
        object-src 'none'; \
        base-uri 'self'; \
        connect-src 'self' localhost:1313 ws://localhost:1313/livereload; \
        font-src 'self' https://fonts.gstatic.com; \
        frame-src 'self' localhost:1313 https://utteranc.es https://www.youtube-nocookie.com https://www.youtube.com; \
        img-src 'self' https://i.vimeocdn.com https://i.ytimg.com; \
        manifest-src 'self'; \
        media-src 'self' \
        """
    X-Frame-Options = "SAMEORIGIN"
    Referrer-Policy = "strict-origin"
    Permissions-Policy = """\
        geolocation=(), \
        midi=(), \
        sync-xhr=(), \
        microphone=(), \
        camera=(), \
        magnetometer=(), \
        gyroscope=(), \
        fullscreen=(), \
        payment=() \
        """
    Cache-Control = "public, max-age=31536000"
    Access-Control-Allow-Origin = "*"