Content-Security-Policy: object-src 'none'; base-uri 'self'; font-src 'self' fonts.gstatic.com fonts.googleapis.com js.intercomcdn.com fonts.intercomcdn.com https://*.hotjar.com; frame-ancestors 'self' https://*.hygraph.com; manifest-src 'self'; worker-src 'none'; report-to default;