I’ve added the content security policy on my response headers via this post, and I also had to add ‘unsafe-inline’ to a few of them. I got it to work to the point of getting an access token for the requesting user, and storing it in my database.
However, I have a step in the panel.js where the user is to access the database and retrieve their access token they just generated, and run some more get/post requests with axios calls, but the CSP response headers are not being added to those axios calls (responses). So, I get denied by twitch.
Is there somewhere else I have to add the CSP response headers, beside the express backend?