Proposal: Add Optional Content-Security-Policy (CSP) Header Support

[duncanchen]

Hi @AlemTuzlak,

I’d like to contribute to the project by adding support for a default Content-Security-Policy (CSP) header — turned off by default, but easy to enable when needed.

What I propose:

• Add CSP header support with a sensible default policy (e.g., default-src 'none')
• Make it opt-in via an env variable or config flag

Happy to follow your preferred coding style or integration pattern. Let me know if you’re open to this — I can start working on a pull request right away.

Thanks!

Duncan

[AlemTuzlak]

Hey Duncan, I somehow completely missed this issue, feel free to open up a PR and we can talk about it and go from there!