@bitquark reported a bug where we were not sending the Content Security Policy header in responses when the request included specific parameters. The CSP header is an important security feature supported by modern browsers to significantly mitigate the risk of XSS.

We addressed this issue by ensuring the correct security headers are set on all responses.