<!-- These tags are here for demostration. It's recommended to send them via HTTP headers instead. -->
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; object-src 'none'; script-src 'none'; style-src 'unsafe-inline'">