* Basic CSP with unsafe-inline, unsafe-eval
* Allow 'self' for img-src and connect-src
Apparently, there is a bug for Chrome on iOS if connect-src does not allow 'self'.
See known issues at https://caniuse.com/contentsecuritypolicy
* Use nonces for strict CSP
* More CSP comments
* Add frame-ancestors directive
* Add more useful headers
* Add HSTS header
* Allow youtube and twitter embeds
For some reason, www.youtube.com is enough. It also works for youtube.com and youtube-nocookie.com.
For twitter embeds from twitter.com or x.com, platform.twitter.com is enough.
* Allow CDN and media domain in CSP
* Only allow unsafe-eval in dev build
* Ignore _next/webpack-hmr in middleware
fc18a917e3