headers http header: content-security-policy: `unsafe-hashes` source value