Security Headers Reference
The RCB platform sets HTTP security headers at two distinct layers: the Spring Security filter chain (for all /api/ responses) and nginx (for the React SPA and static assets). Each layer is tuned independently because their content requirements differ — the SPA needs unsafe-inline for MUI's emotion CSS engine while the API never serves inline scripts.