diff --git a/serve.ts b/serve.ts
index 4e17c30..c136b89 100644
--- a/serve.ts
+++ b/serve.ts
@@ -2,7 +2,7 @@ import Server from "lume/core/server.ts";
 import { basicAuth } from "lume/middlewares/basic_auth.ts"
 import precompress from "lume/middlewares/precompress.ts";
 import expires from "lume/middlewares/expires.ts";
-import csp from "https://raw.githubusercontent.com/lumeland/experimental-plugins/main/csp/mod.ts";
+// import csp from "https://raw.githubusercontent.com/lumeland/experimental-plugins/main/csp/mod.ts";
 
 const server = new Server({
   port: 8000,
@@ -34,19 +34,19 @@ function isProtected(req) {
 server.use(precompress());
 server.use(expires());
 // pass your preferred security header options:
-server.use(csp({
-  "Strict-Transport-Security": {
-    maxAge: DEFAULT_MAX_AGE,
-    includeSubDomains: true,
-    preload: true,
-  },
-  "Referrer-Policy": ["no-referrer", "strict-origin-when-cross-origin"],
-  "X-Frame-Options": true,
-  "X-Content-Type-Options": true,
-  "X-XSS-Protection": true,
-  "X-Permitted-Cross-Domain-Policies": true,
-  "X-Powered-By": true,
-}));
+// server.use(csp({
+//   "Strict-Transport-Security": {
+//     maxAge: DEFAULT_MAX_AGE,
+//     includeSubDomains: true,
+//     preload: true,
+//   },
+//   "Referrer-Policy": ["no-referrer", "strict-origin-when-cross-origin"],
+//   "X-Frame-Options": true,
+//   "X-Content-Type-Options": true,
+//   "X-XSS-Protection": true,
+//   "X-Permitted-Cross-Domain-Policies": true,
+//   "X-Powered-By": true,
+// }));
 
 server.use(async (request, next) => {
   const response = await next(request);