2 files changed, 4 insertions, 3 deletions

diff --git a/doc/snac.8 b/doc/snac.8
index c0a110c..7a7352c 100644
--- a/doc/snac.8
+++ b/doc/snac.8
@@ -198,9 +198,7 @@ By setting this to true, no inbox collection is done. Inbox collection helps
 being discovered from remote instances, but also increases network traffic.
 .It Ic http_headers
 If you need to add more HTTP response headers for whatever reason, you can
-fill this object with the required header/value pairs. For example, for enhanced
-XSS security, you can set the "Content-Security-Policy" header to "script-src ;"
-to be totally sure that no JavaScript is executed.
+fill this object with the required header/value pairs.
 .It Ic show_instance_timeline
 If this is set to true, the instance base URL will show a timeline with the latest
 user posts instead of the default greeting static page. If other information
diff --git a/httpd.c b/httpd.c
index 5a38aff..d22bb14 100644
--- a/httpd.c
+++ b/httpd.c
@@ -553,6 +553,9 @@ void httpd_connection(FILE *f)
     headers = xs_dict_append(headers, "access-control-allow-origin", "*");
     headers = xs_dict_append(headers, "access-control-allow-headers", "*");
 
+    /* disable any form of fucking JavaScript */
+    headers = xs_dict_append(headers, "Content-Security-Policy", "script-src ;");
+
     if (p_state->use_fcgi)
         xs_fcgi_response(f, status, headers, body, b_size, fcgi_id);
     else