# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
add_header Content-Security-Policy "default-src 'self'; object-src 'none'";