diff --git a/website/loaders/asset.ts b/website/loaders/asset.ts
index d883e7b9c..0d931b173 100644
--- a/website/loaders/asset.ts
+++ b/website/loaders/asset.ts
@@ -1,54 +1,22 @@
-import { forbidden } from "@deco/deco";
 import { fetchSafe, STALE } from "../../utils/fetch.ts";
+import { shortcircuit } from "@deco/deco";
 interface Props {
   /**
    * @description Asset src like: https://fonts.gstatic.com/...
    */
   src: string;
 }
-
-const loader = async (props: Props, request: Request): Promise<Response> => {
+const loader = async (props: Props) => {
   const url = new URL(props.src);
-
-  // Whitelist allowed protocols
-  const allowedProtocols = ["https:", "http:"];
-  if (!allowedProtocols.includes(url.protocol)) {
-    forbidden({
-      message: "Only HTTP and HTTPS protocols are allowed",
-    });
+  if (url.protocol === "file:") {
+    shortcircuit(new Response("Forbidden", { status: 403 }));
   }
-
   const original = await fetchSafe(url.href, STALE);
   const response = new Response(original.body, original);
-
-  // Check if the request's Accept header includes "text/html"
-  const acceptHeader = request.headers.get("accept");
-  if (acceptHeader && acceptHeader.includes("text/html")) {
-    forbidden({
-      message: "Forbidden: text/html not accepted",
-    });
-  }
-
-  const contentType = response.headers.get("Content-Type");
-  if (contentType && contentType.includes("text/html")) {
-    forbidden({
-      message: "Forbidden: text/html not accepted as a response",
-    });
-  }
-
-  // Set strict Content-Security-Policy
-  response.headers.set(
-    "Content-Security-Policy",
-    "default-src 'none'; style-src 'unsafe-inline'",
-  );
-
-  // Set cache control headers
   response.headers.set(
-    "Cache-Control",
+    "cache-control",
     "public, s-maxage=15552000, max-age=15552000, immutable",
   );
-
   return response;
 };
-
 export default loader;