<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self'; font-src 'self'; style-src 'self'; connect-src 'self'; form-action 'none'; block-all-mixed-content; base-uri 'none'">