From ae311104f23686974c4b3ce65724b58251c73696 Mon Sep 17 00:00:00 2001
From: bisco <bisco@younerd.org>
Date: Wed, 25 Mar 2026 21:08:37 +0100
Subject: [PATCH] Add Netlify security headers with pragmatic CSP hardening

---
 _headers | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 _headers

diff --git a/_headers b/_headers
new file mode 100644
index 0000000..961114a
--- /dev/null
+++ b/_headers
@@ -0,0 +1,5 @@
+/*
+  Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; script-src 'self'; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self'; connect-src 'self'; form-action 'self'; frame-src 'none'; worker-src 'none'; manifest-src 'self'; upgrade-insecure-requests
+  Referrer-Policy: strict-origin-when-cross-origin
+  Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(self), display-capture=(), geolocation=(), gyroscope=(), hid=(), magnetometer=(), microphone=(), midi=(), payment=(), publickey-credentials-get=(), serial=(), usb=(), web-share=(), xr-spatial-tracking=()
+  X-Content-Type-Options: nosniff