Is there something else I need to do in a Rails app to set the CSP header in the API responses? I've implemented the module below but the header is not present anywhere:
# config/initializers/content_security_policy.rb
Rails.application.config.content_security_policy do |policy|
policy.img_src :self, :data, :blob, '*'
policy.media_src :self, :data, :blob, '*'
policy.script_src :self, :unsafe_inline, :unsafe_eval, '*'
policy.style_src :self, :unsafe_inline, :blob, '*'
policy.font_src :self, :data, '*'
policy.connect_src :self, :data, '*'
policy.child_src :self, :blob, '*'
policy.frame_src :self, '*'
policy.object_src :self, '*'
end