add_response_headers: Access-Control-Allow-Origin: "*" Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization" Access-Control-Allow-Methods: "GET, HEAD, POST, PUT, DELETE, OPTIONS" Content-Security-Policy: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';" Permissions-Policy: "microphone=(), camera=(), geolocation=(), interest-cohort=()" Referrer-Policy: "no-referrer-when-downgrade" Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" X-Content-Type-Options: "nosniff" X-Frame-Options: "SAMEORIGIN" X-XSS-Protection: "1; mode=block"