Content-Type: application/json
Content-Security-Policy: default-src 'none'; base-uri 'none';