set resp.http.Content-Security-Policy = "default-src 'self'";
set resp.http.X-Frame-Options = "SAMEORIGIN";
set resp.http.X-XSS-Protection = "1";
set resp.http.X-Content-Type-Options = "nosniff";
set resp.http.Referrer-Policy = "origin-when-cross-origin";
set resp.http.Expect-CT = "enforce,max-age=30";
if (req.protocol == "https") {
  set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains";
}
if (!req.http.Fastly-Debug) {
  unset resp.http.Server;
  unset resp.http.X-Powered-By;
  unset resp.http.Via;
  unset resp.http.x-served-by;
  unset resp.http.x-cache;
  unset resp.http.x-cache-hits;
  unset resp.http.x-timer;
}
if (resp.http.cache-control:max-age) {
  unset resp.http.expires;
}