This plugin is opinionated and these things will not directly apply to every situation, so it is best to analyze individual applications to determine your own best path forward.
|strict-transport-security||max-age >= 31536000|
|referrer-policy|| no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin|
|permissions-policy||Just expects this to exist in some way|
|content-security-policy||Minimum of: default-src 'none'|
|x-frame-options||deny, sameorigin, allow-from|
|x-xss-protection||0, 1 (informs you that it is deprecated and recommends CSP)|