how do I add a security header?

[zufan-students]

Problem:

I have tried adding a security header to config/development/server.toml and hugo.toml with no effect after adding the security header script with:

hugo.toml

[server]
  [[server.headers]]
    for = '/**'
    [server.headers.values]
      Content-Security-Policy = 'script-src localhost:1313'
      Referrer-Policy = 'strict-origin-when-cross-origin'
      X-Content-Type-Options = 'nosniff'
      X-Frame-Options = 'DENY'
      X-XSS-Protection = '1; mode=block'

config/development/server.toml

[[headers]]
  for = '/**'
  [headers.values]
    Content-Security-Policy = 'script-src localhost:1313'
    Referrer-Policy = 'strict-origin-when-cross-origin'
    X-Content-Type-Options = 'nosniff'
    X-Frame-Options = 'DENY'
    X-XSS-Protection = '1; mode=block'

request

how to add security headers i run on vercel with this Hugoplate theme? by adding to vercel.json? I've tried adding it but this script gets an error it's not allowed to use routes it has to be rewritten. Can you make an example?

 "routes": [
 {
 "handle": "filesystem"
 },
 {
 "src": "/(.*)",
 "status": 404,
 "dest": "/404.html"
 }

example vercel.json

before:

{
 "builds": [
   {
     "src": "vercel-build.sh",
     "use": "@vercel/static-build",
     "config": {
       "distDir": "public"
     }
   }
 ],
 "routes": [
   {
     "handle": "filesystem"
   },
   {
     "src": "/(.*)",
     "status": 404,
     "dest": "/404.html"
   }
 ]
}

after:

 request sample