# CSP for api.crewli.app
# The API serves JSON only — no scripts, styles, or images needed.
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'" always;