Some inexplicable things are inserted into the web page. For some reason, https cannot be turned on. If you decide to use Content-Security-Policy.
This is the Content-Security-Policy configuration on the nginx server side
Then the browser checks that Font has been killed, and I don’t know what to do.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Server-->Network-->User browser. The server is correct and the browser is correct. Some inexplicable things are inserted into web pages, and someone inserts and modifies data during network transmission (common ones include DNS hijacking and HTTP traffic hijacking). HTTP is a clear text protocol, so it is very common to be hijacked.
Finally, you added a controlled HTTP HEADER, which can be easily deleted by others. As for the picture you attached in the question, I couldn't see it clearly, so I didn't use it as a reference (it may be more appropriate to use HAR files later).