As identified in the security concept review (T227591#5388300), we should set appropriate security headers, including a robust CSP, on each component of the service.
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP