CSP enforced with header <?php header("Content-Security-Policy: script-src 'none'"); ?>