Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Permissions-Policy "なんやらかんやら" Header always set Referrer-Policy "strict-origin-when-cross-origin" あとは〜X-XSS-Protection...じゃなくて〜Content-Security-Policy 昔は設定が楽だったのになぁ... レポートモードで弾かれるやつをリストアップしながら