Merge branch 'master' into last-login

static.json

@@ -7,7 +7,10 @@
   "headers": {
     "/**": {
       "X-Content-Type-Options": "nosniff",
-      "X-Frame-Options": "deny"
+      "X-XSS-Protection": "1; mode=block",
+      "X-Frame-Options": "deny",
+      "Content-Security-Policy": "default-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; script-src-elem 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com; frame-src 'self' https://www.google.com https://www.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; connect-src *;",
+      "Strict-Transport-Security": "max-age=63072000; includeSubdomains; preload"
     }
   }
 }

vite.config.ts

@@ -64,7 +64,7 @@ export default ({ command, mode }: ConfigEnv): UserConfigExport => {
           'X-XSS-Protection': '1; mode=block',
           'X-Frame-Options': 'deny',
           'Content-Security-Policy':
-            "default-src 'self' data:; script-src 'self' 'unsafe-inline' blob:; script-src-elem 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com; frame-src 'self' https://www.google.com https://www.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; connect-src *;",
+            "default-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; script-src-elem 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com; frame-src 'self' https://www.google.com https://www.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; connect-src *;",
           'Strict-Transport-Security': 'max-age=63072000; includeSubdomains; preload',
         },
       },