Header always set Content-Security-Policy "upgrade-insecure-requests;"