(funcall lack/middleware/charset:*lack-middleware-security-headers*
         *app*
         :content-security-policy "default-src 'self'; report-to https://reportcollector.example.com/collector.cgi")

(lack:builder
 (:security-headers
  :x-frame-options "DENY"
  :x-xss-protection "0"
  :x-content-type-options "nosniff"
  :x-permitted-cross-domain-policies nil
  :referrer-policy "strict-origin-when-cross-origin"
  :strict-transport-security "max-age=300; includeSubdomains; preload"
  :content-security-policy "default-src https://www.my-site.example.com; report-to https://reportcollector.example.com/collector.cgi"
  :permissions-policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(self), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
  :additional-headers '(:x-foo "Foo"))
 *web*)

(asdf:test-system :foo.lisp.lack-middleware-security-headers)