Improve the security via HTTP headers
My initial attempts at a generating a CSP policy yield this:
default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:
With this policy, the app loads without any CSP warning (at least during my tests). The
unsafe-eval bits could possibly removed if we added the CSP headers at the Python level (appending a
We also might want to set the
Referrer-Policy headers too.