diff --git a/web/src/routes/_headers/+server.ts b/web/src/routes/_headers/+server.ts
new file mode 100644
index 00000000..2cbf4e88
--- /dev/null
+++ b/web/src/routes/_headers/+server.ts
@@ -0,0 +1,28 @@
+export async function GET() {
+    const CSP = [
+        "default-src 'none'",
+        "script-src 'self' challenges.cloudflare.com",
+        "frame-src challenges.cloudflare.com",
+    ]
+
+    const _headers = {
+        "/*": {
+            "Cross-Origin-Opener-Policy": "same-origin",
+            "Cross-Origin-Embedder-Policy": "require-corp",
+            "Content-Security-Policy": CSP.join("; "),
+        }
+    }
+
+    return new Response(
+        Object.entries(_headers).map(
+            ([path, headers]) => [
+                path,
+                Object.entries(headers).map(
+                    ([key, value]) => `    ${key}: ${value}`
+                )
+            ].flat().join("\n")
+        ).join("\n\n")
+    );
+}
+
+export const prerender = true;
diff --git a/web/static/_headers b/web/static/_headers
deleted file mode 100644
index cabbdca5..00000000
--- a/web/static/_headers
+++ /dev/null
@@ -1,3 +0,0 @@
-/*
-    Cross-Origin-Opener-Policy: same-origin
-    Cross-Origin-Embedder-Policy: require-corp