Add content security policy (CSP) to your site without changing your backends (or when you don't have backends and are using static site origins). Here's how!
For an overview of why you should add content security policy to your site, please read here, here, and here.
As it's sometimes tricky to get the back-end updated to add additional headers, I decided to leverage Lambda@Edge to serve the HTTP headers from the CloudFront edge locations.
Go grab the code here, follow the fine instructions, and you should be good to go!