CSP goes in the dashboard to control what the front end code/HTML/JS/CSS can access.
CSP headers do not go in the EBS/express backend. for an extension use case
An example:
