Enable CSP for GUI
The nginx instance for the web GUI should enable CSP. Just adding the following works:
add_header Content-Security-Policy "default-src 'self';";
though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.
Adding upgrade-insecure-requests while there wouldn't hurt either.