Current HTTP Content Security Policy (CSP)

Please note the directory separation are being enforced:

+ website
    + images
    + css
    + js
    + media
    + frames
    + fonts

The currently best secured policy for HTTP CSP is currently:

default-src 'none'; 
base-uri 'none'; 
block-all-mixed-content; 
child-src https://egbert.net/frames/; 
connect-src 'self' https://egbert.net/; 
frame-ancestors 'self'; 
frame-src https://egbert.net/frames/; 
font-src https://egbert.net/fonts/; 
form-action 'none'; 
img-src 'self' https://egbert.net/favicon.ico https://egbert.net/images/ https://egbert.net/blog/ data:; 
manifest-src 'self'; 
media-src https://egbert.net/media/ data:; 
object-src 'none'; 
prefetch-src 'self'; 
require-trusted-types-for 'script'; 
sandbox allow-same-origin; 
script-src 'strict-dynamic'; 
script-src-elem 'strict-dynamic'; 
script-src-attr 'strict-dynamic'; 
style-src 'self' https://egbert.net/ https://egbert.net/images/ https://egbert.net/css/ https://egbert.net/fonts/ ; 
style-src-elem 'self' https://egbert.net/fonts/; 
style-src-attr 'self' https://egbert.net/fonts/; 
upgrade-insecure-requests; 
worker-src 'self';

Side note: Permission Policy:

permissions-policy:
   accelerometer=(), 
   ambient-light-sensor=(), 
   autoplay=(), 
   battery=(), 
   camera=(), 
   clipboard-read=(), 
   clipboard-write=(), 
   conversion-measurement=(), 
   cross-origin-isolated=(), 
   display-capture=(), 
   document-domain=(), 
   encrypted-media=(), 
   execution-while-not-rendered=(), 
   execution-while-out-of-viewport=(), 
   focus-without-user-activation=(), 
   fullscreen=(), 
   gamepad=(), 
   geolocation=(), 
   gyroscope=(), 
   hid=(), 
   idle-detection=(), 
   interest-cohort=(), 
   keyboard-map=(), 
   magnetometer=(), 
   microphone=(), 
   midi=(), 
   navigation-override=(), 
   payment=(), 
   picture-in-picture=(), 
   publickey-credentials-get=(), 
   screen-wake-lock=(), 
   serial=(), 
   speaker-selection=(), 
   sync-script=(), 
   sync-xhr=(), 
   trust-token-redemption=(), 
   usb=(), 
   vertical-scroll=()
   web-share=(), 
   window-placement=(), 
   xr-spatial-tracking=(), 

You can check them out at Google CSP online checker

References