include snip.d/http-base-security-headers;

add_header  Content-Security-Policy  "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';"  always;