[[headers]] for = '/**' [headers.values] Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload" X-Content-Type-Options = "nosniff" X-XSS-Protection = "1; mode=block" Content-Security-Policy = """\ default-src 'self'; \ child-src 'self' app.netlify.com; \ script-src 'unsafe-eval' 'unsafe-inline' 'self' *.hsforms.net *.hs-scripts.com *.google.com *.gstatic.com \ *.netlify.app app.netlify.com netlify-cdp-loader.netlify.app https://*.google-analytics.com https://*.x.com \ https://*.twitter.com https://*.youtube.com https://*.flickr.com https://*.googletagmanager.com; \ style-src 'unsafe-inline' 'self' *.netlify.app app.netlify.com netlify-cdp-loader.netlify.app \ https://*.knightlab.com https://fonts.googleapis.com https://www.youtube.com; \ object-src 'none'; \ base-uri 'self'; \ connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com \ https://*.googletagmanager.com https://*.knightlab.com *.hsforms.com *.hubspot.com; \ font-src 'self' https://*.netlify.app https://fonts.gstatic.com; \ frame-src 'self' https://www.youtube-nocookie.com https://www.youtube.com https://*.netlify.com \ https://*.google.com *.google.com; \ img-src 'self' data: https: https://*.netlify.app https://i.vimeocdn.com https://i.ytimg.com \ https://*.cloudinary.com https://*.google-analytics.com https://*.googletagmanager.com \ https://tile.openstreetmap.org *.hsforms.net *.hsforms.com; \ manifest-src 'self'; \ media-src 'self' https://*.netlify.app https://*.cloudinary.com https://*.youtube.com; \ """ X-Frame-Options = "SAMEORIGIN" Referrer-Policy = "strict-origin-when-cross-origin" Permissions-Policy = """\ geolocation=(), \ midi=(), \ sync-xhr=(), \ microphone=(), \ camera=(), \ magnetometer=(), \ gyroscope=(), \ fullscreen=(), \ payment=() \ """ cache-control = """\ max-age=0, \ no-cache, \ no-store, \ must-revalidate \ """ Access-Control-Allow-Origin = "*"