resp.ContentType = "application/json"
resp.SetHeader("Access-Control-Allow-Origin","*")
resp.SetHeader("Access-Control-Allow-Methods" ,"GET, POST, UPDATE, DELETE, OPTIONS")
resp.SetHeader("Access-Control-Allow-Headers", "Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, api_key")
If req.Method = "OPTIONS" Then
Return True
End If
resp.SetHeader("X-Frame-Options", "DENY")
resp.SetHeader("X-XSS-Protection", "1;mode=block")
resp.SetHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains;preload")
resp.SetHeader("X-Content-Type-Options", "nosniff")
resp.SetHeader("Referrer-Policy", "no-referrer-when-downgrade")
resp.SetHeader("Content-Security-Policy", "script-src https://api.yourdomain.com")
resp.SetHeader("Feature-Policy", "microphone 'none'")