tags, but 'unsafe-inline' is needed for legacy onclick handlers // TODO: Refactor all inline event handlers (onclick, etc.) to use addEventListener, // then remove 'unsafe-inline' from script-src for full CSP protection header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';"); // Prevent clickjacking by disallowing framing header("X-Frame-Options: DENY"); // Prevent MIME type sniffing header("X-Content-Type-Options: nosniff"); // Enable XSS filtering in older browsers header("X-XSS-Protection: 1; mode=block"); // Control referrer information sent with requests header("Referrer-Policy: strict-origin-when-cross-origin"); // Permissions Policy - disable unnecessary browser features header("Permissions-Policy: geolocation=(), microphone=(), camera=()"); } }