If you have some knowledge in web security and Content Security Policy, would you mind having a look at https://dev.funkwhale.audio/funkwhale/funkwhale/merge_requests/826 ?
This is an attempt to harden the security of the web UI via a CSP (and some additional HTTP headers) and to reduce the attack surface in case of exploits.