For some reason the latest Express.JS versions are forcing a default, restrictive CSP (Content-Security-Policy) header value.
I'm trying to instantiate a middleware in order to change CSP to a more permissive one (that's currently on my needs for the project) but Express.JS seems to ignore every value for the Content-Security-Policy header. Calling res.setHeader("...", "some value") does work on that middleware when I change the key name to everything but "Content-Security-Policy". I'm not defining this header anywhere else, so it seems to come from Express.JS itself. What's exactly going on, how to correctly make Express.JS to recognize it?
Example: requesting the main page shows the default restrictive header for CSP, ignoring the value I set on line 29
Another example: changing the header to another name that's not CSP correctly enlists it to the headers
