Add a default-src CSP Header in Express to Enforce an Allowlist and Mitigate XSS by Mike Sherov