Set CSP/CT headers to subjectively improve security

[CHTJonas]

Goose should set the Content-Security-Policy header appropriately to mitigate the risk of unauthorised content being loaded in the browser. This is particularly useful for XSS prevention. The Expect-CT header also has support among some of the browsers.

[edwinbalani]

Expect-CT is now obsolete. I think CSP headers would be a good move, still.