# Static-host security headers for the XENA Fluid Intent proof-surface.
# Works on Cloudflare Pages / Netlify (the `_headers` convention).
# The bundle is fully self-contained and makes NO network calls by default,
# so connect-src can be locked to 'none'. (If you enable the optional live
# ?src= fetch on xena-fluid-world.html, widen connect-src to the gateway origin.)
/*
  X-Content-Type-Options: nosniff
  X-Frame-Options: DENY
  Referrer-Policy: no-referrer
  Permissions-Policy: geolocation=(), microphone=(), camera=()
  Content-Security-Policy: default-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'
