Work with a restrictive CSP policy
Currently, Atlas doesn't play nice with CSP, because it embeds css and javascript inside the html code, instead of putting them into dedicated files.
The usage of CSP would make exploitation of (potential) XSS harder.