hinode/config/_default/server.toml

# Auto-generated file - do not modify

[[headers]]
  for = '/**'

  [headers.values]
    Access-Control-Allow-Origin = '*'
    Content-Security-Policy = """
        base-uri 'self'; \
        connect-src 'self' *.google-analytics.com *.analytics.google.com *.googletagmanager.com; \
        default-src 'none'; \
        font-src 'self' fonts.gstatic.com; \
        form-action 'self'; \
        frame-src player.cloudinary.com www.youtube-nocookie.com www.youtube.com player.vimeo.com; \
        img-src 'self' *.google-analytics.com *.googletagmanager.com data: *.imgix.net *.imagekit.io *.cloudinary.com i.ytimg.com tile.openstreetmap.org i.vimeocdn.com; \
        manifest-src 'self'; \
        media-src 'self'; \
        object-src 'none'; \
        script-src 'self' *.google-analytics.com *.googletagmanager.com player.vimeo.com; \
        style-src 'self' www.youtube.com; \
        """
    Permissions-Policy = 'geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=() '
    Referrer-Policy = 'strict-origin'
    Strict-Transport-Security = 'max-age=31536000; includeSubDomains; preload'
    X-Content-Type-Options = 'nosniff'
    X-Frame-Options = 'SAMEORIGIN'
    X-XSS-Protection = '1; mode=block'
    cache-control = 'max-age=0, no-cache, no-store, must-revalidate '