So, yeah, it's a Workers Sites thing. Front end website is using React, and we have a custom wrangler project that uses @Cloudflare/kv-asset-handler to handle caching in KV, so that custom headers (Content-Security-Policy) and such headers get set before handing to the client the response.