// Production hardening: security headers + an audit log. // Helmet-style headers. The always-on ones are safe for any app. A Content-Security-Policy is powerful // but easy to break (fonts need allow-listed origins), so it's OPT-IN via ENABLE_CSP=1. export function securityHeaders() { const cspParts = process.env.ENABLE_CSP === "1" ? [ "default-src 'self'", "script-src 'self' 'unsafe-inline' 'unsafe-eval'", "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", "font-src 'self' https://fonts.gstatic.com data:", "img-src 'self' data: blob: https:", "media-src 'self' blob: https:", "connect-src 'self'", "worker-src 'self' blob:", ] : []; // Allow embedding this app in an