Question - Content Security Policy Headers

Dear all,

Part of our ISMS requires us to do documentation on our SaaS Services and its security properties. Obviously this policy includes Eramba SaaS as well.
Among other questions we evaluate the HTTP headers set by a site.

When scanning the headers of our eramba SaaS instance (as well as the ones for the demo environment) I noticed, eramba does not set a CSP header.
It also has not implemented “SameSite”

You can retrace the checks we do and explanation on the findings at Scan results - HTTP Observatory | MDN

Is there a specific reason why this is not the case or any other mitigation in place to justify this?
Is this maybe on the roadmap to be fixed down the road?

Best regards from an eager information protector,
vidaktobyl

Thank you, we’ll look into it.

int. ref.: https://github.com/eramba/eramba/issues/5158