function outputHeader(request, response)
    trace = request:getTracer()

    cspHeader = response:getHeader("content-security-policy")
    if (cspHeader ~= nil) then 
        trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").")
    else
        trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").")
        response:setHeader("content-security-policy", param_csp)
    end

    if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
        trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
        response:setHeader("content-security-policy-report-only", param_report_only_csp)
    else
        trace:debug("AGOV CSP: No report only CSP-header set")
    end
end