Click Fetch Headers
The gateway sets minimal CSP, disables cross-origin embedder policy strictness for compatibility, and applies rate limiting + body size caps. Future iterations: nonce/B3 trace propagation + zero-trust header set.