feat: harden HTTP headers
- content-security-policy
- specify allowed sources of script and style/link
- cdnjs
- netlify production
- netlify deploy previews (for MR)
- allow inline JS
- block mixed-content
- no
<form>
, no frame-ancestors/iframe - https://scotthelme.co.uk/content-security-policy-an-introduction/
- https://stackoverflow.com/a/40417609
- specify allowed sources of script and style/link
- no referrer
- Use netlify's default hsts max-age. Lower value is only applicable for custom domain.
- feature-policy
- ref:
Edited by Ming Di Leom