My app has been warned on May 6 (The warning was related to phishing while my app hosted on App Engine does not phish). I requested an appeal, and I clearly explained why I think this warning was added to my app. It was because of a code that I added to my html page to avoid attacks. I therefore removed it and I received a support message stating that there is no issue with my app.
I received another email yesterday stating that the link to my app has been suspended while the search console was not showing any security issue. I submitted an appeal again and I received an email this morning stating that the suspension has been lifted. But the link is still not working.
The following was the code:
<remove name="X-Powered-By" />
<!-- Protects against XSS injections. ref.: [https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/](https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/) -->
<add name="X-XSS-Protection" value="1; mode=block" />
<!-- Protects against Clickjacking attacks. ref.: [http://stackoverflow.com/a/22105445/1233379](http://stackoverflow.com/a/22105445/1233379) -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Protects against MIME-type confusion attack. ref.: [https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/](https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/) -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- Protects against Clickjacking attacks. ref.: [https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) -->
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
<!-- CSP modern XSS directive-based defence, used since 2014. ref.: [http://content-security-policy.com/](http://content-security-policy.com/) -->
<add name="Content-Security-Policy" value="default-src 'self'; connect-src *; font-src * data:; frame-src *; img-src * data: blob:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" />
<!-- Prevents from leaking referrer data over insecure connections. ref.: [https://scotthelme.co.uk/a-new-security-header-referrer-policy/](https://scotthelme.co.uk/a-new-security-header-referrer-policy/) -->
<add name="Referrer-Policy" value="same-origin" />
<!--Feature-Policy is a new header that allows a site to control which features and APIs can be used in the browser. ref.: [https://wicg.github.io/feature-policy/](https://wicg.github.io/feature-policy/) -->
<add name="Feature-Policy" value="accelerometer 'none'; camera '*'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment *; usb 'none'" />
</customHeaders>
THIS IS REALLY CAUSING ISSUE ON MY BUSINESS AND OUR BUSINESS REPUTATION. PLEASE ASSIST ME WITH THIS AS SOON AS POSSIBLE. THE LINK IS: https://partyexpress360-d40e5.uk.r.appspot.com/.
Thanks!