When I was reading about configuring Hugo a few weeks ago, I came across the section below but I forgot to bookmark it. Searching the gohugo.io site for terms such as security headers or content security policy returns no result. I searched hugo test security headers on DuckDuckGo and this page popped up in the results.
(Also worth noting that testing script-src will break the live reload code, so be careful.)