app.Use((context, next) =>
{
	context.Response.GetTypedHeaders().CacheControl =
		new Microsoft.Net.Http.Headers.CacheControlHeaderValue()
		{
			MustRevalidate = true,
			NoCache = true,
			NoStore = true,
		};

	string oidcAuthority = builder.Configuration.GetValue(typeof(string), "oidc:Authority").ToString();
	string mainUrl = "https://myurl";
#if DEBUG
	mainUrl = "https://localhost:7241";
#endif

    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    context.Response.Headers.Add("Content-Security-Policy",
        $"default-src 'self' {mainUrl} {oidcAuthority} " +
            "https://code.cdn.mozilla.net " +
            "https://dc.services.visualstudio.com " +
            "'unsafe-inline' 'unsafe-eval'; " +
        $"script-src 'unsafe-inline' 'unsafe-eval' {mainUrl}; " +
        $"connect-src 'self' {oidcAuthority} https://code.cdn.mozilla.net;" +
        $"img-src 'self' data {mainUrl}; " +
        $"style-src 'unsafe-inline' {mainUrl} " +
            "https://code.cdn.mozilla.net " +
            ";" +
        "base-uri 'self'; " +
        "form-action 'self'; " +
        "frame-ancestors 'self';");
    context.Response.Headers.Add("Referrer-Policy", "same-origin");
    context.Response.Headers.Add("Permissions-Policy", "geolocation=(), microphone=()");
    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
    context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
    context.Response.Headers.Add("SameSite", "Strict");

    return next.Invoke();
});