Is your feature request related to a problem?

Hi,

currently Gokapi does not send the Content-Security-Policy HTTP header for all pages served by the application (notably the header is missing from the appplication root /, /login page, /admin page...)

This header would provide additional security against potential malicious scripts or resources from third-party domains.

Could you add the header with an appropriate value to all applications responses? (as far as I can see, Gokapi does not load any third-party resources, to default-src 'self' should be fine)

(On a second look, I can see a third-party resources is loaeded by the StreamSaver mitm service worker on the download page (https://forceu.github.io/...), what is the purpose of this cross-site request?)

If that is not possible, let me know if this header should be set by the reverse proxy instead (in which case a mention in the docs would still be nice).

Thanks for your work on Gokapi

Describe the solution you'd like

All HTTP responses by the application should contain a Content-Security-Policy header

Describe alternatives you've considered

Configuring my reverse proxy to inject the header

Additional Context

No response

Impact

• This would be a breaking change to existing setups.