Fix Missing Security Headers on Vercel

Vercel projects declare headers in vercel.json using a headers array with source glob patterns. This keeps policy in Git and redeploys with every merge, which is ideal for teams that want reviewable security changes.

Match the strictness of your CSP to frameworks you use: Next.js may need hashes or nonces for inline scripts if you move away from unsafe-inline. Start from HeadersFixer output and narrow script-src over time.