add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; style-src 'self' https:; script-src 'self'; img-src 'self' https: data:; font-src 'self' https:; upgrade-insecure-requests" always;

add_header Permissions-Policy "camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=(), web-share=()" always;