Right now, the app doesn’t have a Content-Security-Policy (CSP) in place, either as an HTTP header or a meta tag. Without it, the app is more vulnerable to Cross-Site Scripting (XSS) attacks, which could allow malicious scripts to run.