blog/netlify.toml

[context.production]
  publish = "public"
  command = "npm run snyk && npm run hexo"

[[headers]]
  for = "/*"
  [headers.value]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Content-Security-Policy = "default-src 'self'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src https: 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src https://cdnjs.cloudflare.com 'self'; style-src https://cdnjs.cloudflare.com 'self'; worker-src 'none'; base-uri 'none'; form-action 'none'; block-all-mixed-content; frame-ancestors 'none';"
    Referrer-Policy = "no-referrer"
    Strict-Transport-Security = "max-age=31536000"
    Feature-Policy = "accelerometer 'none'; autoplay 'none'; camera 'none'; document.domain 'none'; display-capture 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'"