* New: automatically detect wrong Security Header values from other sources, and duplicate headers
* Improvement: auto enable Insecure Requests header only when SSL enabled
* Improvement: remove unnecessary notices load in licenses block
* Improvement: CSP policy for back and front-end separate
* Improvement: also allow non-recommended X-XSS options
* Improvement: frame ancestors allow other values than 'none'
* Improvement: Use ABSPATH constant instead of path when writing path to debug.log
* Improvement: Pause CSP reporting after 20 requests, to lower server load
* Fix: script-src-elem in Content Security Policy not including source URL
* Fix: prefix replacement in wp-config too broad, causing issues if wp_ is used other then in the prefix.
* Fix: Update prefix site_id in user roles when changing the database prefix, to preserve capabilities for users in subsites