/*
  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  Referrer-Policy: origin-when-cross-origin
  Cache-Control: public, max-age=0, s-maxage=0, must-revalidate

/manifest.webmanifest
  Content-Type: application/manifest+json

# assets get a long cache instead of no cache
/assets/*
  Cache-Control: public, max-age=31536000, s-maxage=31536000, immutable