diff --git a/lambdas/service/app.py b/lambdas/service/app.py
index 5bd42e97e7..824f1350a0 100644
--- a/lambdas/service/app.py
+++ b/lambdas/service/app.py
@@ -29,6 +29,7 @@
     Response,
     UnauthorizedError,
 )
+import chevron
 from furl import (
     furl,
 )
@@ -56,6 +57,9 @@
 from azul.collections import (
     OrderedSet,
 )
+from azul.csp import (
+    CSP,
+)
 from azul.drs import (
     AccessMethod,
 )
@@ -487,10 +491,19 @@ def manifest_url(self,
     }
 )
 def oauth2_redirect():
-    oauth2_redirect_html = app.load_static_resource('swagger', 'oauth2-redirect.html')
+    file_name = 'oauth2-redirect.html.template.mustache'
+    template = app.load_static_resource('swagger', file_name)
+    nonce = CSP.new_nonce()
+    html = chevron.render(template, {
+        'CSP_NONCE': json.dumps(nonce)
+    })
+    csp = CSP.for_azul(nonce)
     return Response(status_code=200,
-                    headers={"Content-Type": "text/html"},
-                    body=oauth2_redirect_html)
+                    headers={
+                        'Content-Type': 'text/html',
+                        'Content-Security-Policy': str(csp)
+                    },
+                    body=html)
 
 
 def validate_repository_search(entity_type: EntityType,
diff --git a/scripts/convert_environment.py b/scripts/convert_environment.py
index 1e330cd27b..0fb8863444 100644
--- a/scripts/convert_environment.py
+++ b/scripts/convert_environment.py
@@ -13,13 +13,6 @@
     Optional,
 )
 
-"""
-Convert an old-style `environment` Bash script to a new-style `environment.py`.
-
-This is by no means a complete parser for shell scripts. It recognizes only the
-script statements typically used in `environment` and `environment.local` files.
-"""
-
 from azul.files import (
     write_file_atomically,
 )
@@ -27,6 +20,13 @@
     single_quote as sq,
 )
 
+"""
+Convert an old-style `environment` Bash script to a new-style `environment.py`.
+
+This is by no means a complete parser for shell scripts. It recognizes only the
+script statements typically used in `environment` and `environment.local` files.
+"""
+
 
 class Variable(NamedTuple):
     name: str
diff --git a/src/azul/chalice.py b/src/azul/chalice.py
index 5a310df26c..f5d1e4876e 100644
--- a/src/azul/chalice.py
+++ b/src/azul/chalice.py
@@ -58,6 +58,9 @@
 from azul.collections import (
     deep_dict_merge,
 )
+from azul.csp import (
+    CSP,
+)
 from azul.enums import (
     auto,
 )
@@ -73,7 +76,6 @@
 )
 from azul.strings import (
     join_words as jw,
-    single_quote as sq,
 )
 from azul.types import (
     JSON,
@@ -205,33 +207,35 @@ def _api_gateway_context_middleware(self, event, get_response):
         finally:
             config.lambda_is_handling_api_gateway_request = False
 
-    hsts_max_age = 60 * 60 * 24 * 365 * 2
-
-    # Headers added to every response from the app, as well as canned 4XX and
-    # 5XX responses from API Gateway. Use of these headers addresses known
-    # security vulnerabilities.
-    #
-    security_headers = {
-        'Content-Security-Policy': jw('default-src', sq('self')),
-        'Referrer-Policy': 'strict-origin-when-cross-origin',
-        'Strict-Transport-Security': jw(f'max-age={hsts_max_age};',
-                                        'includeSubDomains;',
-                                        'preload'),
-        'X-Content-Type-Options': 'nosniff',
-        'X-Frame-Options': 'DENY',
-        'X-XSS-Protection': '1; mode=block'
-    }
+    @classmethod
+    def security_headers(cls) -> dict[str, str]:
+        """
+        Default values for headers added to every response from the app, as well
+        as canned 4XX and 5XX responses from API Gateway. Use of these headers
+        addresses known security vulnerabilities.
+        """
+        hsts_max_age = 60 * 60 * 24 * 365 * 2
+        csp = CSP.for_azul()
+        return {
+            'Content-Security-Policy': str(csp),
+            'Referrer-Policy': 'strict-origin-when-cross-origin',
+            'Strict-Transport-Security': jw(f'max-age={hsts_max_age};',
+                                            'includeSubDomains;',
+                                            'preload'),
+            'X-Content-Type-Options': 'nosniff',
+            'X-Frame-Options': 'DENY',
+            'X-XSS-Protection': '1; mode=block'
+        }
 
     def _security_headers_middleware(self, event, get_response):
         """
         Add headers to the response
         """
         response = get_response(event)
-        response.headers.update(self.security_headers)
-        # FIXME: Add a CSP header with a nonce value to text/html responses
-        #        https://github.com/DataBiosphere/azul-private/issues/6
-        if response.headers.get('Content-Type') == 'text/html':
-            del response.headers['Content-Security-Policy']
+        # Add security headers to the response without overwriting any headers
+        # that might have been added already (e.g. Content-Security-Policy)
+        for k, v in self.security_headers().items():
+            response.headers.setdefault(k, v)
         view_function = self.routes[event.path][event.method].view_function
         cache_control = getattr(view_function, 'cache_control')
         # Caching defeats the automatic reloading of application source code by
@@ -527,11 +531,14 @@ def _controller(self, controller_cls: type[C], **kwargs) -> C:
         return controller_cls(app=self, **kwargs)
 
     def swagger_ui(self) -> Response:
-        swagger_ui_template = self.load_static_resource('swagger', 'swagger-ui.html.template.mustache')
+        file_name = 'swagger-ui.html.template.mustache'
+        template = self.load_static_resource('swagger', file_name)
         base_url = self.base_url
         redirect_url = furl(base_url).add(path='oauth2_redirect')
         deployment_url = furl(base_url).add(path='openapi')
-        swagger_ui_html = chevron.render(swagger_ui_template, {
+        nonce = CSP.new_nonce()
+        html = chevron.render(template, {
+            'CSP_NONCE': json.dumps(nonce),
             'DEPLOYMENT_PATH': json.dumps(str(deployment_url.path)),
             'OAUTH2_CLIENT_ID': json.dumps(config.google_oauth2_client_id),
             'OAUTH2_REDIRECT_URL': json.dumps(str(redirect_url)),
@@ -540,20 +547,24 @@ def swagger_ui(self) -> Response:
                 for path, method in self.non_interactive_routes
             ])
         })
+        csp = CSP.for_azul(nonce)
         return Response(status_code=200,
-                        headers={'Content-Type': 'text/html'},
-                        body=swagger_ui_html)
-
-    def swagger_resource(self, file) -> Response:
-        if os.sep in file:
-            raise BadRequestError(file)
+                        headers={
+                            'Content-Type': 'text/html',
+                            'Content-Security-Policy': str(csp)
+                        },
+                        body=html)
+
+    def swagger_resource(self, file_name: str) -> Response:
+        if os.sep in file_name:
+            raise BadRequestError(file_name)
         else:
             try:
-                body = self.load_static_resource('swagger', file)
+                body = self.load_static_resource('swagger', file_name)
             except FileNotFoundError:
-                raise NotFoundError(file)
+                raise NotFoundError(file_name)
             else:
-                path = pathlib.Path(file)
+                path = pathlib.Path(file_name)
                 content_type = mimetypes.types_map[path.suffix]
                 return Response(status_code=200,
                                 headers={'Content-Type': content_type},
diff --git a/src/azul/csp.py b/src/azul/csp.py
new file mode 100644
index 0000000000..7177679535
--- /dev/null
+++ b/src/azul/csp.py
@@ -0,0 +1,214 @@
+import base64
+from collections import (
+    defaultdict,
+)
+import logging
+import re
+import secrets
+from typing import (
+    Self,
+)
+
+import attrs
+from more_itertools import (
+    only,
+    prepend,
+)
+
+from azul import (
+    require,
+)
+from azul.strings import (
+    single_quote as sq,
+)
+
+log = logging.getLogger(__name__)
+
+
+@attrs.frozen
+class CSP:
+    directives: dict[str, list[str]]
+
+    @classmethod
+    def for_azul(cls, nonce: str | None = None) -> Self:
+        self, none, data = sq('self'), sq('none'), 'data:'
+        nonce = [] if nonce is None else [sq('nonce-' + nonce)]
+        return cls({
+            'default-src': [self],
+            'img-src': [self, data],
+            'script-src': [self, *nonce],
+            'style-src': [self, *nonce],
+            'frame-ancestors': [none]
+        })
+
+    @classmethod
+    def new_nonce(cls) -> str:
+        """
+        A random nonce for use in a CSP.
+        """
+        return base64.b64encode(secrets.token_bytes(32)).decode('ascii').rstrip('=')
+
+    @classmethod
+    def parse(cls, csp: str) -> Self:
+        """(
+
+        Parse the given CSP or raise RequirementError if it is not syntactically
+        valid against the specification at https://www.w3.org/TR/CSP2.
+
+        >>> from azul.doctests import (
+        ...     assert_json,
+        ... )
+
+        >>> def parse(s): return CSP.parse(s).directives
+
+        A valid CSP:
+
+        >>> valid_csp = "img-src 'self' data:;frame-ancestors 'none'"
+        >>> assert_json(parse(valid_csp))
+        {
+            "img-src": [
+                "'self'",
+                "data:"
+            ],
+            "frame-ancestors": [
+                "'none'"
+            ]
+        }
+
+        Insignificant whitespace is removed:
+
+        >>> fluffy_csp = " \timg-src\t'self'  data:\t;\tframe-ancestors\t 'none' \t"
+        >>> parse(valid_csp) == parse(fluffy_csp)
+        True
+
+        Multiple multiple directives of the same name are consolidated:
+
+        >>> assert_json(parse("img-src data:;img-src 'self':"))
+        {
+            "img-src": [
+                "data:",
+                "'self':"
+            ]
+        }
+
+        Invalid CSPs:
+
+        >>> parse(";")
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ('Invalid directive', '')
+
+        >>> parse('img_src;')
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ('Invalid directive', 'img_src')
+
+        >>> parse('img-src a,b')
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ('Invalid directive', 'img-src a,b')
+        """
+        # https://www.w3.org/TR/CSP2/#policy-syntax
+        directive_re = re.compile(r'[ \t]*([a-zA-Z0-9-]+)'
+                                  # Space, tab and any visible character
+                                  # (0x21-0xFE) except for comma (0x2C) or
+                                  # semicolon (0x3B).
+                                  r'(?:[ \t]([ \t\x21-\x2B\x2D-\x3A\x3C-\xFE]*))?')
+        wsp_re = re.compile(r'[ \t]+')
+        directives = defaultdict(list)
+        for directive in csp.split(';'):
+            match = directive_re.fullmatch(directive)
+            require(match is not None, 'Invalid directive', directive)
+            name, values = match.groups()
+            values = [] if values is None else filter(None, wsp_re.split(values))
+            directives[name].extend(values)
+        return cls(directives)
+
+    # Matches only Azul nonces, specifically
+    nonce_re = re.compile(sq(r'nonce-([a-zA-Z0-9+/]{43})'))
+
+    def validate(self):
+        """
+        Validate the directive values against a subset of the Source List
+        grammar from the specification. Of that grammar, only the productions
+        used in CSPs for Azul are supported.
+
+        >>> def validate(s): return CSP.parse(s).validate()
+
+        >>> valid = ('0a+/' * 11)[:43]
+        >>> validate(f"script-src 'self' 'nonce-{valid}'")
+
+        Disallowed characters in nonce:
+
+        >>> invalid = valid.replace('+','*')
+        >>> validate(f"script-src 'self' 'nonce-{invalid}'")
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ('Invalid value', "'nonce-0a*/0a*/0a*/0a*/0a*/0a*/0a*/0a*/0a*/0a*/0a*'")
+
+        Nonce is too short:
+
+        >>> invalid = valid[:-1]
+        >>> validate(f"script-src 'self' 'nonce-{invalid}'")
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ('Invalid value', "'nonce-0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a'")
+
+        Nonce is too long:
+
+        >>> invalid = valid + '/'
+        >>> validate(f"script-src 'self' 'nonce-{invalid}'")
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ('Invalid value', "'nonce-0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a+/0a+/'")
+
+        Other invalid combinations:
+
+        >>> validate("frame-ancestors 'none' 'none'")
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ("'none' can only appear alone", ["'none'", "'none'"])
+
+        >>> validate("frame-ancestors 'self' 'none'")
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ("'none' can only appear alone", ["'self'", "'none'"])
+
+        >>> validate("img-src 'self' data: 'self'")
+        Traceback (most recent call last):
+        ...
+        azul.RequirementError: ('Duplicated value', ["'self'", 'data:', "'self'"])
+        """
+        self_, none, data = sq('self'), sq('none'), 'data:'
+        value_res = prepend(self.nonce_re.pattern, map(re.escape, [self_, none, data]))
+        value_re = re.compile('|'.join(value_res))
+        for name, values in self.directives.items():
+            for value in values:
+                match = value_re.fullmatch(value)
+                require(match is not None, 'Invalid value', value)
+            require(values == [none] or none not in values,
+                    f'{none} can only appear alone', values)
+            require(len(values) == len(set(values)), 'Duplicated value', values)
+
+    def nonce(self) -> str | None:
+        """
+        Extract the Azul nonce from this CSP, if present. If there are multiple
+        occurrances of a nonce, they must all be equal.
+        """
+        return only(set(
+            value
+            for name, values in self.directives.items()
+            for value in values
+            if self.nonce_re.fullmatch(value) is not None
+        ))
+
+    def __str__(self) -> str:
+        """
+        >>> s = "img-src 'self' data:;frame-ancestors 'none'"
+        >>> s == str(CSP.parse(s))
+        True
+        """
+        return ';'.join(
+            ' '.join(value for value in prepend(name, values))
+            for name, values in self.directives.items()
+        )
diff --git a/src/azul/terraform.py b/src/azul/terraform.py
index 4166c885a6..b90db83b17 100644
--- a/src/azul/terraform.py
+++ b/src/azul/terraform.py
@@ -824,7 +824,7 @@ def tf_config(self, app_name):
         #
         security_headers = {
             f'gatewayresponse.header.{k}': f"'{v}'"
-            for k, v in AzulChaliceApp.security_headers.items()
+            for k, v in AzulChaliceApp.security_headers().items()
         }
         assert 'aws_api_gateway_gateway_response' not in resources, resources
         openapi_spec['x-amazon-apigateway-gateway-responses'] = (
diff --git a/src/azul/threads.py b/src/azul/threads.py
index 0e81e21921..0cef7b9915 100644
--- a/src/azul/threads.py
+++ b/src/azul/threads.py
@@ -62,13 +62,13 @@ class Latch:
     >>> with ThreadPoolExecutor(max_workers=n) as tpe:
     ...     l = Latch(n)
     ...     fs = [tpe.submit(l.decrement, 1) for i in range(n)]
-    >>> [f.result() for f in fs]
+    >>> list(map(Future.result, fs))
     [None, None]
 
     >>> with ThreadPoolExecutor(max_workers=n) as tpe:
     ...     l = Latch(n+1)
     ...     fs = [tpe.submit(l.decrement, 1, timeout=1) for i in range(n)]
-    >>> [f.result() for f in fs]
+    >>> list(map(Future.result, fs))
     Traceback (most recent call last):
     ...
     TimeoutError
@@ -79,7 +79,7 @@ def __init__(self, value):
         self.value = value
         self.condition = threading.Condition()
 
-    def decrement(self, value, timeout=None):
+    def decrement(self, value, *, timeout=None):
         require(isinstance(value, int))
         self.condition.acquire()
         try:
@@ -107,6 +107,7 @@ class DeferredTaskExecutor(metaclass=ABCMeta):
     ...
     ...     def __init__(self) -> None:
     ...         super().__init__(num_workers=2)
+    ...         self.delta = None
     ...         self.a, self.b, self.c, self.d = None, None, None, None
     ...
     ...     def _run(self):
@@ -128,10 +129,16 @@ class DeferredTaskExecutor(metaclass=ABCMeta):
     ...     def never(self):
     ...         self.d = 1
 
-    >>> e = MyExecutor()
-    >>> e.run()  # err() raises an exception
+    >>> from logging import Logger
+    >>> import unittest.mock
+    >>> with unittest.mock.patch.object(Logger, 'warning') as mock_warning:
+    ...     e = MyExecutor()
+    ...     e.run()  # err() raises an exception, and emits a warning log
     [ValueError(123)]
 
+    >>> mock_warning.mock_calls
+    [call('Exception in deferred callable', exc_info=True)]
+
     >>> 1.23 <= e.delta < 2 # set() runs after the given delay, but not much later
     True
 
diff --git a/swagger/oauth2-redirect.html b/swagger/oauth2-redirect.html.template.mustache
similarity index 85%
rename from swagger/oauth2-redirect.html
rename to swagger/oauth2-redirect.html.template.mustache
index 0c0b5da508..e6266a1816 100644
--- a/swagger/oauth2-redirect.html
+++ b/swagger/oauth2-redirect.html.template.mustache
@@ -2,10 +2,10 @@
 <!doctype html>
 <html lang="en-US">
 <title>Swagger UI: OAuth2 Redirect</title>
-<body onload="run()">
+<body>
 </body>
 </html>
-<script>
+<script nonce={{{CSP_NONCE}}}>
     'use strict';
     function run () {
         var oauth2 = window.opener.swaggerUIRedirectOauth2;
@@ -66,4 +66,15 @@
         }
         window.close();
     }
+    // The CSP blocks JS event handlers from inline HTML markup, so instead of
+    // calling run() from the body tag's onload property, as a workaround it
+    // is added here with an event listener.
+    //
+    // See also:
+    //
+    // https://github.com/swagger-api/swagger-ui/issues/5720
+    //
+    window.addEventListener('DOMContentLoaded', function () {
+        run();
+    });
 </script>
diff --git a/swagger/swagger-ui.html.template.mustache b/swagger/swagger-ui.html.template.mustache
index 33889fca8c..ffa004c548 100644
--- a/swagger/swagger-ui.html.template.mustache
+++ b/swagger/swagger-ui.html.template.mustache
@@ -5,7 +5,7 @@
     <meta charset="UTF-8">
     <title>Swagger UI</title>
     <link rel="stylesheet" href="static/swagger-ui.css" crossorigin="anonymous">
-    <style>
+    <style nonce={{{CSP_NONCE}}}>
       html
       {
         box-sizing: border-box;
@@ -30,7 +30,7 @@
     <div id="swagger-ui"></div>
     <script src="static/swagger-ui-bundle.js"></script>
     <script src="static/swagger-ui-standalone-preset.js"></script>
-    <script>
+    <script nonce={{{CSP_NONCE}}}>
     window.onload = function() {
       // Adapted from https://github.com/swagger-api/swagger-ui/issues/3725#issuecomment-334899276
       const DisableTryItOutPlugin = function() {
diff --git a/test/integration_test.py b/test/integration_test.py
index 4298eb2abb..38f49f733a 100644
--- a/test/integration_test.py
+++ b/test/integration_test.py
@@ -106,6 +106,9 @@
 from azul.collections import (
     alist,
 )
+from azul.csp import (
+    CSP,
+)
 from azul.drs import (
     AccessMethod,
 )
@@ -2002,24 +2005,41 @@ def test_response_security_headers(self):
         }
         for endpoint in (config.service_endpoint, config.indexer_endpoint):
             for path, cache_control in test_cases.items():
-                expected_headers = {'Cache-Control': cache_control}
                 with self.subTest(endpoint=endpoint, path=path):
                     if path == '/oauth2_redirect' and endpoint == config.indexer_endpoint:
                         pass  # no oauth2 endpoint on indexer Lambda
                     else:
                         response = requests.get(str(endpoint / path))
                         response.raise_for_status()
-                        expected = AzulChaliceApp.security_headers | expected_headers
-                        # FIXME: Add a CSP header with a nonce value to text/html responses
-                        #        https://github.com/DataBiosphere/azul-private/issues/6
-                        if path in ['/', '/oauth2_redirect']:
-                            del expected['Content-Security-Policy']
-                        self.assertIsSubset(expected.items(), response.headers.items())
+                        actual_csp = response.headers['Content-Security-Policy']
+                        parsed_csp = CSP.parse(actual_csp)
+                        parsed_csp.validate()
+                        nonce = parsed_csp.nonce()
+                        # We only expect a CSP nonce for specific endpoints.
+                        self.assertIs(nonce is None, path not in ['/', '/oauth2_redirect'])
+                        expected_headers = {
+                            # The fact that most headers are hard-coded in
+                            # security_headers() gives us license to use that
+                            # method here to compose the expected value, even
+                            # though it constitutes code under test. There is
+                            # not much that can break in that method, and even
+                            # if one of the literals in it had an error, that
+                            # error would likely be repeated in a literal here.
+                            **AzulChaliceApp.security_headers(),
+                            'Cache-Control': cache_control,
+                            # The random nonce in the actual CSP makes it hard
+                            # to compose an expected value for it. Instead, we
+                            # parse and validate the actual CSP, then serialize
+                            # it again and interpolate the result into the
+                            # expected value.
+                            'Content-Security-Policy': str(parsed_csp)
+                        }
+                        self.assertIsSubset(expected_headers.items(), response.headers.items())
 
     def test_default_4xx_response_headers(self):
         for endpoint in (config.service_endpoint, config.indexer_endpoint):
             with self.subTest(endpoint=endpoint):
                 response = requests.get(str(endpoint / 'does-not-exist'))
                 self.assertEqual(403, response.status_code)
-                self.assertIsSubset(AzulChaliceApp.security_headers.items(),
+                self.assertIsSubset(AzulChaliceApp.security_headers().items(),
                                     response.headers.items())
diff --git a/test/service/test_app_logging.py b/test/service/test_app_logging.py
index 9585bde07f..73679bd2b5 100644
--- a/test/service/test_app_logging.py
+++ b/test/service/test_app_logging.py
@@ -10,14 +10,12 @@
     LocalAppTestCase,
 )
 from azul.chalice import (
+    AzulChaliceApp,
     log,
 )
 from azul.logging import (
     configure_test_logging,
 )
-from azul.strings import (
-    single_quote as sq,
-)
 from indexer import (
     DCP1CannedBundleTestCase,
 )
@@ -39,23 +37,33 @@ def test_request_logs(self):
             for authenticated in False, True:
                 with self.subTest(level=level, authenticated=authenticated):
                     url = self.base_url.set(path='/health/basic')
-                    headers = {'authorization': 'Bearer foo_token'} if authenticated else {}
+                    request_headers = {'authorization': 'Bearer foo_token'} if authenticated else {}
                     with self.assertLogs(logger=log, level=level) as logs:
-                        requests.get(str(url), headers=headers)
+                        requests.get(str(url), headers=request_headers)
                     logs = [(r.levelno, r.getMessage()) for r in logs.records]
-                    headers = {
+                    request_headers = {
                         'host': url.netloc,
                         'user-agent': 'python-requests/2.32.2',
                         'accept-encoding': 'gzip, deflate, br',
                         'accept': '*/*',
                         'connection': 'keep-alive',
-                        **headers,
+                        **request_headers,
+                    }
+                    response_headers = {
+                        'Access-Control-Allow-Origin': '*',
+                        'Access-Control-Allow-Headers': 'Authorization,'
+                                                        'Content-Type,'
+                                                        'X-Amz-Date,'
+                                                        'X-Amz-Security-Token,'
+                                                        'X-Api-Key',
+                        **AzulChaliceApp.security_headers(),
+                        'Cache-Control': 'no-store'
                     }
                     self.assertEqual(logs, [
                         (
                             INFO,
-                            f"Received GET request for '/health/basic', "
-                            f"with {json.dumps({'query': None, 'headers': headers})}."),
+                            "Received GET request for '/health/basic', "
+                            f'with {json.dumps(dict(query=None, headers=request_headers))}.'),
                         (
                             INFO,
                             "Authenticated request as OAuth2(access_token='foo_token')"
@@ -66,17 +74,9 @@ def test_request_logs(self):
                             level,
                             'Returning 200 response. To log headers and body, set AZUL_DEBUG to 1.'
                             if level == INFO else
-                            'Returning 200 response with headers {"Access-Control-Allow-Origin": '
-                            '"*", "Access-Control-Allow-Headers": '
-                            '"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key", '
-                            f'"Content-Security-Policy": "default-src {sq("self")}", '
-                            '"Referrer-Policy": "strict-origin-when-cross-origin", '
-                            '"Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload", '
-                            '"X-Content-Type-Options": "nosniff", '
-                            '"X-Frame-Options": "DENY", '
-                            '"X-XSS-Protection": "1; mode=block", '
-                            '"Cache-Control": "no-store"}. '
-                            'See next line for the first 1024 characters of the body.\n'
+                            'Returning 200 response with headers ' +
+                            json.dumps(response_headers) + '. ' +
+                            'See next line for the first 1024 characters of the body.\n' +
                             '{"up": true}'
                         )
                     ])
diff --git a/test/test_app_logging.py b/test/test_app_logging.py
index a9c41957db..51e294f5a4 100644
--- a/test/test_app_logging.py
+++ b/test/test_app_logging.py
@@ -31,9 +31,6 @@
     azul_log_level,
     configure_test_logging,
 )
-from azul.strings import (
-    single_quote as sq,
-)
 from azul_test_case import (
     AlwaysTearDownTestCase,
     AzulUnitTestCase,
@@ -105,17 +102,18 @@ def fail():
                         self.assertTrue(response.startswith(traceback_header))
                         self.assertIn(magic_message, response)
                         # … and the response is logged.
+                        headers = {
+                            'Content-Type': 'text/plain',
+                            **app.security_headers(),
+                            'Cache-Control': 'no-store'
+                        }
                         self.assertEqual(
                             azul_log.output[2],
-                            'DEBUG:azul.chalice:Returning 500 response with headers {"Content-Type": "text/plain", '
-                            f'"Content-Security-Policy": "default-src {sq("self")}", '
-                            '"Referrer-Policy": "strict-origin-when-cross-origin", '
-                            '"Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload", '
-                            '"X-Content-Type-Options": "nosniff", '
-                            '"X-Frame-Options": "DENY", '
-                            '"X-XSS-Protection": "1; mode=block", '
-                            '"Cache-Control": "no-store"}. '
-                            'See next line for the first 1024 characters of the body.\n' + response)
+                            'DEBUG:azul.chalice:Returning 500 response with headers ' +
+                            json.dumps(headers) + '. ' +
+                            'See next line for the first 1024 characters of the body.\n' +
+                            response
+                        )
                     else:
                         # Otherwise, a generic error response is returned …
                         self.assertEqual(response.json(), {
diff --git a/test/test_doctests.py b/test/test_doctests.py
index c4bbe4023e..048b13d8bb 100644
--- a/test/test_doctests.py
+++ b/test/test_doctests.py
@@ -1,4 +1,5 @@
 import doctest
+import unittest
 
 import azul
 import azul.attrs
@@ -8,6 +9,7 @@
 import azul.bytes
 import azul.caching
 import azul.collections
+import azul.csp
 import azul.docker
 import azul.doctests
 import azul.dss
@@ -57,7 +59,10 @@ def setUpModule():
     configure_test_logging()
 
 
-def load_tests(_loader, tests, _ignore):
+def load_tests(_loader,
+               tests: unittest.TestSuite,
+               _ignore
+               ) -> unittest.TestSuite:
     root = azul.config.project_root
     for module in [
         azul,
@@ -68,6 +73,7 @@ def load_tests(_loader, tests, _ignore):
         azul.bytes,
         azul.caching,
         azul.collections,
+        azul.csp,
         azul.doctests,
         azul.docker,
         azul.dss,
@@ -113,3 +119,8 @@ def load_tests(_loader, tests, _ignore):
         assert suite.countTestCases() > 0, module
         tests.addTests(suite)
     return tests
+
+
+if __name__ == '__main__':
+    runner = unittest.TextTestRunner()
+    runner.run(load_tests(None, unittest.TestSuite(), None))