security-headers.conf

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;    
add_header X-Content-Type-Options "nosniff" always;
#Referrer Policy 
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
#This is duplicated in CSP frame-ancestors, keept it for older browser support - ALLOW-FROM not supported, maybe skip it
add_header X-Frame-Options "ALLOW-FROM https://*.monday.com";	
add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(self),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()" always;

set $DEFAULT "default-src 'none'";

set $FRAME "frame-src 'self'";
set $FRAME "${FRAME} https://*.configcat.com";

set $SCRIPT "script-src 'self'";
set $SCRIPT "${SCRIPT} https://*.configcat.com";
set $SCRIPT "${SCRIPT} https://*.cloudflareinsights.com";

set $STYLE "style-src 'self' 'unsafe-inline'";

set $FONT "font-src 'self' data:";
set $FONT "${FONT} https://fonts.gstatic.com";
set $FONT "${FONT} https://fonts.googleapis.com";

set $IMG "img-src 'self' data:";
set $IMG "${IMG} https://*.configcat.com";
set $IMG "${IMG} https://*.cloudinary.com";

set $CONNECT "connect-src 'self'";
set $CONNECT "${CONNECT} https://*.configcat.com";
set $CONNECT "${CONNECT} https://*.monday.com";
set $CONNECT "${CONNECT} https://*.cloudflareinsights.com";

set $OBJECT "object-src 'none'";

set $CHILD "child-src 'self' blob:";

set $FRAMEANC "frame-ancestors https://*.configcat.com";
set $FRAMEANC "${FRAMEANC} https://*.monday.com";

set $MISC "upgrade-insecure-requests; block-all-mixed-content";

add_header Content-Security-Policy "${DEFAULT}; ${FRAME}; ${SCRIPT}; ${STYLE}; ${FONT}; ${IMG}; ${CONNECT}; ${OBJECT}; ${CHILD}; ${FRAMEANC}; ${MISC}" always;