set resp.http.Content-Security-Policy = "default-src 'self'; frame-ancestors 'self'";
set resp.http.Referrer-Policy = "origin-when-cross-origin";
set resp.http.Strict-Transport-Security = "max-age=86400"; # Increase when working well in prod (a year is a common final value)
set resp.http.X-XSS-Protection = "1; mode=block";
set resp.http.X-Content-Type-Options = "nosniff";

if (req.http.Origin) { # Consider checking this against an allowlist
  set resp.http.Access-Control-Allow-Origin = req.http.Origin;
  set resp.http.Access-Control-Allow-Methods = "GET,HEAD,POST,OPTIONS";
}

add resp.http.Server-Timing = fastly_info.state {", fastly;desc="Edge time";dur="} time.elapsed.msec;
set resp.http.Timing-Allow-Origin = "*";
set resp.http.Link = "</fonts/myfont.otf>; rel=preload; as=font";