Missing Content-Security-Policy (CSP) header in response

[dillonstreator]

CSP does not seem to be sent by yopass.se. This is a bit confusing, as the middleware seems to be registered to send this header:

yopass/pkg/server/server.go

Lines 177 to 200 in 8f7cf6c

	// SecurityHeadersHandler returns a middleware which sets common security
	// HTTP headers on the response to mitigate common web vulnerabilities.
	func SecurityHeadersHandler(next http.Handler) http.Handler {
	csp := []string{
	"default-src 'self'",
	"font-src 'self' data:",
	"form-action 'self'",
	"frame-ancestors 'none'",
	"script-src 'self'",
	"style-src 'self' 'unsafe-inline'",
	}
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("content-security-policy", strings.Join(csp, "; "))
	w.Header().Set("referrer-policy", "no-referrer")
	w.Header().Set("x-content-type-options", "nosniff")
	w.Header().Set("x-frame-options", "DENY")
	w.Header().Set("x-xss-protection", "1; mode=block")
	if r.URL.Scheme == "https" || r.Header.Get("X-Forwarded-Proto") == "https" {
	w.Header().Set("strict-transport-security", "max-age=31536000")
	}
	next.ServeHTTP(w, r)
	})
	}

Any ideas why the header isn't being set? As you're probably already aware, this is an important header to have sent for additional security measures.