public/_headers
/*
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: frame-ancestors 'self';
Strict-Transport-Security: max-age=31536000; includeSubDomains
Permissions-Policy: accelerometer=*, autoplay=*, camera=*, geolocation=*, gyroscope=*, microphone=*