hinode/config/_default/server.toml

# toml-docs-start server-config
[[headers]]
for = '/**'
[headers.values]
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options = "nosniff"
    X-XSS-Protection = "1; mode=block"
    Content-Security-Policy = """\
        default-src 'self'; \
        script-src 'self' https://*.google-analytics.com https://*.googletagmanager.com; \
        style-src 'self' https://fonts.googleapis.com https://www.youtube.com; \
        object-src 'none'; \
        base-uri 'self'; \
        connect-src 'self'
            https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com; \
        font-src 'self' https://fonts.gstatic.com; \
        frame-src 'self' https://www.youtube-nocookie.com https://www.youtube.com; \
        img-src 'self' data: https://*.imgix.net https://*.imagekit.io https://*.cloudinary.com https://i.vimeocdn.com https://i.ytimg.com https://*.google-analytics.com https://*.googletagmanager.com https://tile.openstreetmap.org; \
        manifest-src 'self'; \
        media-src 'self' \
        """
    X-Frame-Options = "SAMEORIGIN"
    Referrer-Policy = "strict-origin"
    Permissions-Policy = """\
        geolocation=(), \
        midi=(), \
        sync-xhr=(), \
        microphone=(), \
        camera=(), \
        magnetometer=(), \
        gyroscope=(), \
        fullscreen=(), \
        payment=() \
        """
    cache-control = """\
        max-age=0, \
        no-cache, \
        no-store, \
        must-revalidate \
        """
    Access-Control-Allow-Origin = "*"
# toml-docs-end server-config