I also use a content security policy header. The CSP references ‘self’, but I’m having issues when new users navigate directly to domain.com (instead of https://domain.com). It seems like the CSP is evaluated before the redirect, and then everything refuses to load since ‘self’ refers to http://domain instead of https://domain. To ‘fix’ this I added the https:// variant of the domain to the CSP. That feels like the wrong way to go about doing things, is there something obvious I’ve missed?