# Basic Content Security Policy

Content-Security-Policy: script-src 'self' 'unsafe-inline' ; font-src 'self' ; object-src 'none' ; child-src 'self' ; worker-src 'self' ; frame-ancestors 'none' ; form-action 'self' ; block-all-mixed-content;

# for stricter access control, use 'same-origin'
Cross-Origin-Resource-Policy : cross-origin
Access-Control-Allow-Origin : *
Referrer-Policy: no-referrer