Fix headers added by node for the recommended config

lib/http-worker.js

@@ -127,23 +127,15 @@ var getHeaders = function (Env, type) {
         csp = Default.contentSecurity(Env);
     }
     headers['Content-Security-Policy'] = csp;
-
-    if (Env.NO_SANDBOX) { // handles correct configuration for local development
-    // https://stackoverflow.com/questions/11531121/add-duplicate-http-response-headers-in-nodejs
-        headers["Cross-Origin-Resource-Policy"] = 'cross-origin';
-        headers["Cross-Origin-Embedder-Policy"] = 'require-corp';
-    }
+    headers["Cross-Origin-Resource-Policy"] = 'cross-origin';
+    headers["Cross-Origin-Embedder-Policy"] = 'require-corp';
+    cacheHeaders(Env, key, headers);
 
     // Don't set CSP headers on /api/ endpoints
     // because they aren't necessary and they cause problems
     // when duplicated by NGINX in production environments
-    if (type === 'api') {
-        cacheHeaders(Env, key, headers);
-        return headers;
-    }
+    if (type === 'api') { delete headers['Content-Security-Policy']; }
 
-    headers["Cross-Origin-Resource-Policy"] = 'cross-origin';
-    cacheHeaders(Env, key, headers);
     return headers;
 };