Feature Request: HTTP Security Response Headers for Hosted Apps

My app (flowmaticai.base44.app) currently scores an F on securityheaders.com because all six major security headers are missing from the HTTP response. I've added CSP and Referrer-Policy via meta tags, which provides partial browser enforcement, but the following headers only work when set as actual HTTP response headers at the server/CDN level:

• Strict-Transport-Security — enforces HTTPS (max-age=31536000; includeSubDomains)

• X-Frame-Options — prevents clickjacking (SAMEORIGIN)

• X-Content-Type-Options — prevents MIME-sniffing (nosniff)

• Permissions-Policy — controls browser feature access

These cannot be set in the app editor and must be configured at the platform/Cloudflare level.

Why this matters: Apps on Base44 that handle OAuth tokens (Facebook, TikTok, Google), payment integrations (Stripe), and user data are particularly exposed without these headers. This is a platform-wide improvement that would benefit all Base44-hosted apps.

Suggested approach: Either add these as default headers for all hosted apps, or provide a configuration option in the app settings that lets builders customize their security headers.