<?php
// Any other existing functions or code here

// Security headers functions
function add_security_headers() {
    // Strict-Transport-Security (HSTS)
    header('Strict-Transport-Security: max-age=31536000; includeSubDomains');

    // Content-Security-Policy (CSP) with nonce
    $nonce = wp_create_nonce('my-nonce');
    header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-$nonce' 'strict-dynamic'; style-src 'self' 'unsafe-inline';");

    // Feature-Policy
    header('Feature-Policy: accelerometer none; camera none; geolocation none; gyroscope none; magnetometer none; microphone none; payment none; usb none;');

    // Permissions-Policy
    header('Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()');

    // X-Content-Type-Options
    header('X-Content-Type-Options: nosniff');

    // X-Frame-Options
    header('X-Frame-Options: DENY');

    // Referer-Policy
    header('Referrer-Policy: strict-origin-when-cross-origin');

    // Other security policies
    header('Interest-Cohort-Report-Only: "require-corp"');
    header('Public-Key-Pins: max-age=31536000; includeSubDomains');
    header('Screen-Wake-Lock: src self');
    header('Sync-Xhr-Mode: deny');
    header('Autoplay: none');
    header('Serial: none');
    header('Browsing-Topics: none');

    // Other security policies or directives
    header('Clipboard-Write: write');

    // CORS policies
    header('Access-Control-Allow-Origin: *');
    header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
    header('Access-Control-Allow-Headers: X-Requested-With');
    header('Access-Control-Allow-Credentials: true');

    // Expect-CT
    header('Expect-CT: enforce, max-age=604800');
}

// Add action before sending headers
add_action('send_headers', 'add_security_headers');
?>