/** @type {import('@sveltejs/kit').Handle} */
export async function handle({ event, resolve }) {
  const response = await resolve(event);

  // ── Security headers ────────────────────────────────────────────────────────
  // Prevent clickjacking
  response.headers.set('X-Frame-Options', 'SAMEORIGIN');

  // Prevent MIME-type sniffing
  response.headers.set('X-Content-Type-Options', 'nosniff');

  // Control referrer information
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');

  // Restrict browser features
  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');

  // Content Security Policy
  // - default-src 'self': only load resources from our own origin
  // - script-src 'self' 'unsafe-inline': SvelteKit needs inline scripts for hydration
  // - style-src 'self' 'unsafe-inline' fonts.googleapis.com: inline styles + Google Fonts CSS
  // - font-src 'self' fonts.gstatic.com: Google Fonts files
  // - img-src 'self' data:: allow data URIs for any inline images
  // - connect-src 'self': API calls only to our own origin
  // - frame-ancestors 'none': belt-and-suspenders against clickjacking
  response.headers.set('Content-Security-Policy', [
    "default-src 'self'",
    "script-src 'self' 'unsafe-inline'",
    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
    "font-src 'self' https://fonts.gstatic.com",
    "img-src 'self' data:",
    "connect-src 'self'",
    "frame-ancestors 'none'",
    "base-uri 'self'",
    "form-action 'self'",
  ].join('; '));

  return response;
}