I'm trying to implement a Content-Security-Policy, however the Chrome, Firefox and Edge dev tools all report this as a header (which isn't my policy):

Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline' 'unsafe-eval'

If I generate the header as Content-Security-Policy-Report-Only, my header does appear, but when I change it to Content-Security-Policy mine disappears and all I get is the above.

Pretty sure I'm allowed to specify a CSP in local dev. Is this a default policy that's coming from somewhere? (Apache maybe?) Even so, why isn't mine overriding it?!