Header set X-Content-Type-Options "nosniff" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=()" Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; script-src 'self'; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://sirocco.accuweather.com; form-action 'self' https://www.google.com https://www.google.ca; object-src 'none'"