diff --git a/bin/serve.es b/bin/serve.es
index 50942461de4..7c93f26dc35 100644
--- a/bin/serve.es
+++ b/bin/serve.es
@@ -6,7 +6,8 @@ const
     = require ('../middleware')
 
 middleware = [
-  route (`/hello/`, Resource `/resource/fixtures/`)
+  route (`/report/`, Resource `/report/`)
+, route (`/hello/`, Resource `/resource/fixtures/`)
 , route (`/examples/`, Resource `/examples/`)
 ]
 
diff --git a/index.css b/index.css
index 9e0acdec87e..946b80710e5 100644
--- a/index.css
+++ b/index.css
@@ -1,3 +1,8 @@
+/*
+  // enough inline styles to paint to fold
+  // Japanese colors - https://en.wikipedia.org/wiki/Traditional_colors_of_Japan#Red.2FViolet_series
+*/
+
 :root {
   --margin: 0 0;
 }
@@ -271,4 +276,3 @@ body > main, body > aside { flex: 1 }
 }
 
 @media (min-width:1300px) { }
-
diff --git a/index.html b/index.html
index c0cc2122078..c3fcc8b3b62 100644
--- a/index.html
+++ b/index.html
@@ -16,6 +16,7 @@
   href=/index.css
   rel='preload stylesheet'
 >
+
 <!--
 <link
   as=fetch
@@ -31,12 +32,6 @@
   href=/examples/header-group>
 -->
 
-
-<style>
-// enough inline styles to paint to fold
-// Japanese colors - https://en.wikipedia.org/wiki/Traditional_colors_of_Japan#Red.2FViolet_series
-</style>
-
 <!-- https://www.speedshop.co/2015/10/21/hacking-head-tags-for-speed-and-profit.html -->
 
 <!-- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/base -->
@@ -937,5 +932,5 @@ <h3>Further Learning</h3>
   <em>Copyright &copy; 2018 A <strong>devPunks</strong> project</em>
 </footer>
 
-<script src=/browser-sync.es></script>
+<script src=/browser-sync.js></script>
 
diff --git a/middleware/README.md b/middleware/README.md
index d4f0fd0f4f1..cbdc6043aab 100644
--- a/middleware/README.md
+++ b/middleware/README.md
@@ -1,6 +1,11 @@
 # middleware
 
 
+## snuggsi.cors
+
+Cross Origin Resource Sharing
+
+
 ## snuggsi.auth
 
 Middleware used for Authentication.
@@ -8,10 +13,38 @@ Middleware used for Authentication.
 
 ## snuggsi.security
 
+Browser security for frames and XSS attacks
+
+
+## snuggsi.policy
+
 Middleware used for CSP (Content Security Policy).
 
+  - W3C Web App Security - https://github.com/w3c/webappsec
+  - W3C CSP3 Specification - https://w3c.github.io/webappsec-csp
+  - W3C Mixed Content (CR) - https://w3c.github.io/webappsec-mixed-content
+  - W3C Upgrade Insecure Requests (CR) - https://w3c.github.io/webappsec/specs/upgrade/
+  - Wikipedia Documentation - https://en.wikipedia.org/wiki/Content_Security_Policy
+  - MDN Documentation - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+
+
+### Services
+
+  - Report-Uri - https://report-uri.com
+  - Reporting for security headers https://securityheaders.io
+  - Collection of CSP Bypasses - http://sebastian-lekies.de/csp/bypasses.php
+
+
+### Links
+
+  - Helmet - https://helmetjs.github.io
+  - GOOGLE CSP - https://csp.withgoogle.com/docs/strict-csp.html
+  - Mozilla Security Guidelines - https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
   - https://medium.com/square-corner-blog/content-security-policy-for-single-page-web-apps-78f2b2cf1757
   - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
+  - Node Security Platform - https://nodesecurity.io/resources
+  - Github's CSP Journey - https://githubengineering.com/githubs-csp-journey
+  - Github's post-CSP Journey - https://githubengineering.com/githubs-post-csp-journey
 
 ## snuggsi.route
 
diff --git a/middleware/index.es b/middleware/index.es
index 43a1e692d01..0650e60fd06 100644
--- a/middleware/index.es
+++ b/middleware/index.es
@@ -6,6 +6,7 @@ module.exports = {
   auth       : require ('./auth')
 , cors       : require ('./cors')
 , security   : require ('./security')
+, policy     : require ('./policy.es') // because .json ❓❓❓
 , browse     : require ('./browse')
 , snuggsi    : require ('./snuggsi')
 , route      : require ('./route')
diff --git a/middleware/index.test b/middleware/index.test
index 07f1f744931..46227a2288f 100644
--- a/middleware/index.test
+++ b/middleware/index.test
@@ -3,5 +3,9 @@ require ('./cors.test')
 require ('./security.test')
 require ('./snuggsi.test')
 require ('./route.test')
+require ('./policy.test')
+// require ('./compressor.test')
+// require ('./negotiator.test')
+//require ('./librarian.test')
 require ('./assets.test')
 
diff --git a/middleware/policy.es b/middleware/policy.es
new file mode 100644
index 00000000000..8e13db8c7c5
--- /dev/null
+++ b/middleware/policy.es
@@ -0,0 +1,107 @@
+// Can actually charge for this feature // https://report-uri.com/#prices
+
+const
+//schemes   = ['safari-extension://', 'chrome-extension://', 'https://', 'http://']
+  header    = 'Content-Security-Policy'
+, SECURE    = true
+// Depending on analytics framework,
+// may want to listen for securitypolicyviolation events
+// with JavaScript and collect more information about the client before reporting.
+, report    = ['https://snuggsi.report-uri.com/r/d/csp/enforce'] // report-to // *DEPRECATED* report-uri
+
+, defaults  = ["'self'"] // default-src
+, img       = defaults   // img-src
+, style     = defaults   // style-src
+  // nonce-${nonce} ** MUST BE UNIQUE **
+  //   https://w3c.github.io/webappsec-csp/#framework-directive-source-list
+  // **NEVER EXPOSE!!! Causes XSS attacks** script-src 'unsafe-inline'
+  // **THAT BEING SAID...For Safari 😢
+  // 'unsafe-inline' // THIS MAY NOT BE TRUE IN 2018
+, script    = defaults   // script-src Script Nonce for inline <script>
+
+, font      = defaults   // font-src
+, media     = defaults   // media-src
+, connect   = defaults   // connect-src
+, child     = defaults   // child-src
+, frame     = child      // frame-src
+, worker    = script     // worker-src // script-src fallback
+, object    = ["'none'"] // object-src
+, plugin    = ['audio/*', 'video/*'] // plugin-types when object != 'none'
+
+, form      = defaults   // form-action
+, ancestors = defaults   // frame-ancestors
+
+, manifest  = defaults   // manifest-src
+, base      = defaults   // base-uri
+, sandbox   = defaults ||// sandbox
+  [/*
+    allow-forms
+  , allow-popups
+  , allow-modals
+  , allow-scripts
+  , allow-same-origin
+  , allow-presentation
+  , allow-pointer-lock
+  , allow-top-navigation
+  , allow-orientation-lock
+  , allow-popups-to-escape-sandbox
+  */]
+
+, directives = [
+  // Reporting
+    `report-to ${ report.join ` ` }`
+
+  // Fetch
+  , `default-src ${ defaults.join ` ` }`
+  , `img-src ${ img.join ` ` }`
+  , `style-src ${ style.join ` ` }`
+  , `script-src ${ script.join ` ` }`
+
+  , `font-src ${ font.join ` ` }`
+  , `media-src ${ media.join ` ` }`
+  , `connect-src ${ connect.join ` ` }`
+  , `child-src ${ child.join ` ` }`
+  , `frame-src ${ frame.join ` ` }`
+  , `worker-src ${ worker.join ` ` }`
+  , `object-src ${ object.join ` ` }`
+  , !!! object.includes (`'none'`)
+      ? `plugin-types ${ plugin.join ` ` }`
+      : ''
+
+//  Navigation
+  , `form-action ${ form.join ` ` }`
+  , `frame-ancestors ${ ancestors.join ` ` }`
+
+// Document
+  , `base-uri ${ base.join ` ` }`
+  , `manifest-src ${ manifest.join ` ` }`
+  //  `sandbox  ...` is not supported in the <meta> element
+  //  or by the Content-Security-policy-Report-Only header field.
+  //  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
+  , `sandbox ${ sandbox.join ` ` }`
+
+  // Other
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
+  , SECURE
+      ? `block-all-mixed-content`
+      : `update-insecure-requests`
+  // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
+//, `require-sri-for ${ integrities.join ` ` }`
+  // DEPRECATED!! See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+//, `referrer`
+  ]
+
+
+module.exports = async (context, next, policy) => {
+
+  policy = directives.filter (Boolean).join `; `
+
+  context.set ( header, policy)
+
+  'report'
+    in context.request.query
+    && context.set ( `${header}-Report-Only`, policy)
+
+  await next (context)
+}
diff --git a/middleware/policy.json b/middleware/policy.json
new file mode 100644
index 00000000000..5491364c680
--- /dev/null
+++ b/middleware/policy.json
@@ -0,0 +1,22 @@
+{
+  "secure" : true
+
+, "report-uri"
+    : "https://snuggsi.report-uri.com/r/d/csp/enforce"
+
+, "default-src" : [
+    "'self'"
+  ]
+
+, "img-src" : [
+    "'self'"
+  ]
+
+, "style-src" : [
+    "'self'"
+  ]
+
+, "script-src" : [
+    "'self'"
+  ]
+}
diff --git a/middleware/policy.test b/middleware/policy.test
new file mode 100644
index 00000000000..917e407707c
--- /dev/null
+++ b/middleware/policy.test
@@ -0,0 +1,399 @@
+const
+  { test, serve, fetch }
+    = require ('test')
+
+, { Server }
+    = require ('..')
+
+, defaults = [`'self'`].join `; `
+
+
+test ('calling next middleware')
+
+
+test ('Content-Security-Policy-Report-Only', async t => {
+
+  const
+    server = serve ``
+
+  , { headers }
+      = (await fetch ('http://localhost:8181/?report'))
+
+  , report = headers.get ('Content-Security-Policy-Report-Only')
+  , policy = headers.get ('Content-Security-Policy')
+
+  t.ok ( policy )
+  t.ok ( report )
+  t.equals ( report, policy )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy', async t => {
+
+  const
+    server = serve ``
+
+  , { headers }
+      = (await fetch ('http://localhost:8181/'))
+
+  , report = headers.get ('Content-Security-Policy-Report-Only')
+  , policy = headers.get ('Content-Security-Policy')
+
+  t.ok ( policy )
+  t.notOk ( report )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: report-to' , async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+  , url = 'https://snuggsi.report-uri.com/r/d/csp/enforce'
+
+
+  t.ok ( policy.includes (`report-to ${url}`))
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: default-src', async t => {
+
+  const
+    server = serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`default-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: manifest-src', async t => {
+
+  const
+    server = serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`manifest-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: child-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`child-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: frame-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`frame-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: connect-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`connect-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('content-security-policy: img-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`img-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: font-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`font-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ("Content-Security-Policy: object-src 'none'", async t => {
+
+  const
+    server = serve ``
+
+  , { headers }
+      = (await fetch ('http://localhost:8181/'))
+
+  , policy = headers.get ('content-security-policy')
+
+
+  console.warn (policy)
+
+  t.ok ( policy.includes (`object-src 'none'`) )
+  t.notOk ( policy.includes (`plugin-types`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ("Content-Security-Policy: object-src 'self'; plugin-types", async t => {
+  // only available when object-src is NOT 'none'
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types#Examples
+
+  const
+    server  = serve ``
+  , plugins = ['audio/*', 'video/*'].join ` `
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`plugin-types ${plugins}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: media-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`media-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: style-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`style-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: script-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`script-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: worker-src', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`worker-src ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: base-uri', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`base-uri ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: sandbox', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`sandbox`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: form-action', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`form-action ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: frame-ancestors', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`frame-ancestors ${defaults}`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: block-all-mixed-content', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.ok ( policy.includes (`block-all-mixed-content`) )
+
+  server.close ``
+  t.end ()
+})
+
+
+test ('Content-Security-Policy: update-insecure-requests', async t => {
+
+  const
+    server = (new Server).serve ``
+
+  , policy
+      = (await fetch ('http://localhost:8181/'))
+        .headers.get ('content-security-policy')
+
+
+  t.notOk ( policy.includes (`update-insecure-requests`) )
+
+  server.close ``
+  t.end ()
+})
diff --git a/middleware/security.es b/middleware/security.es
index 2d96ef67364..d8aca841858 100644
--- a/middleware/security.es
+++ b/middleware/security.es
@@ -13,6 +13,7 @@ const
 module.exports = options =>
 
   async (context, next) => {
+
     await next ()
 
     context.set
diff --git a/middleware/security.test b/middleware/security.test
index e97b95c75b4..ee614c931ae 100644
--- a/middleware/security.test
+++ b/middleware/security.test
@@ -8,19 +8,17 @@
 
 
 const
-  { test, fetch }
+  { test, fetch, serve }
     = require ('test')
 
-, Server = require ('server')
 
-
-test ('calling next middlewaree')
+test ('calling next middleware')
 
 
 test ('X-XSS-Protection: 1; mode=block', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
 
@@ -33,7 +31,7 @@ test ('X-XSS-Protection: 1; mode=block', async t => {
   t.ok
     (expected.test (response.headers.get ('x-xss-protection')))
 
-  server.close ()
+  server.close ``
   t.end ()
 
 })
@@ -42,14 +40,14 @@ test ('X-XSS-Protection: 1; mode=block', async t => {
 test ('X-Frame-Options: deny', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
 
   t.equal
     ('deny', response.headers.get ('x-frame-options'))
 
-  server.close ()
+  server.close ``
   t.end ()
 })
 
@@ -57,14 +55,14 @@ test ('X-Frame-Options: deny', async t => {
 test ('X-Content-Type-Options: nosniff', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
 
   t.equal
     ('nosniff', response.headers.get ('x-content-type-options'))
 
-  server.close ()
+  server.close ``
   t.end ()
 })
 
@@ -72,7 +70,7 @@ test ('X-Content-Type-Options: nosniff', async t => {
 test ('Strict-Transport-Security', async t => {
 
   const
-    server   = (new Server).serve ``
+    server   = serve ``
   , response = await fetch ('http://localhost:8181/')
 
   , age      = 60 * 60 * 24 * 365
@@ -83,6 +81,6 @@ test ('Strict-Transport-Security', async t => {
   t.ok
     (expected.test (response.headers.get ('strict-transport-security')))
 
-  server.close ()
+  server.close ``
   t.end ()
 })
diff --git a/public/browser-sync.es b/public/browser-sync.js
similarity index 100%
rename from public/browser-sync.es
rename to public/browser-sync.js
diff --git a/report/README.md b/report/README.md
new file mode 100644
index 00000000000..2278c370179
--- /dev/null
+++ b/report/README.md
@@ -0,0 +1,10 @@
+# Report
+
+  Used for violation reporting.
+
+  See [MDN Violation Report Syntax](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#Violation_report_syntax) For further details.
+
+
+## Example JSON Payload
+
+  See [index.json](index.json)
diff --git a/report/index.json b/report/index.json
new file mode 100644
index 00000000000..8bb9f109f09
--- /dev/null
+++ b/report/index.json
@@ -0,0 +1,9 @@
+{
+  "csp-report": {
+    "document-uri": "http://example.com/",
+    "referrer": "",
+    "blocked-uri": "http://example.com/index.css",
+    "violated-directive": "style-src foo.com",
+    "original-policy": "default-src 'none'; style-src foo.com; report-uri /reports/"
+  }
+}
diff --git a/resource/README.md b/resource/README.md
index 5b13b00ebd3..17e2a16f528 100644
--- a/resource/README.md
+++ b/resource/README.md
@@ -1,10 +1,20 @@
 # `Resource`
 
+## Types
+
+  A `Resource` (and for that matter (sub)`Resource` can be one of 4 media types (There will be more):
+
+  1. - `text/*`
+  2. - `image/*`
+  3. - `style/*`
+  4. - `script/*`
+
+
 ## Request Methods
 
-- HTTP Method Definitions - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
-- MDN Request Methods - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
 - Handling A Resource - https://mimesniff.spec.whatwg.org/#handling-a-resource
+- MDN Request Methods - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
+- HTTP Method Definitions - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
 
 
 ## Response Streams
@@ -19,12 +29,12 @@
 ## MIME Sniffing
 
   - https://mimesniff.spec.whatwg.org/#javascript-mime-type
+  - Context-Specific sniffing - https://mimesniff.spec.whatwg.org/#context-specific-sniffing
   - Matching a MIME type pattern - https://mimesniff.spec.whatwg.org/#matching-a-mime-type-pattern
   - Determining the computed MIME type of a resource - https://mimesniff.spec.whatwg.org/#matching-an-image-type-pattern
-  - Context-Specific sniffing - https://mimesniff.spec.whatwg.org/#context-specific-sniffing
   
 
-## References
+# References
 
   - Rest Cookbook -  http://restcookbook.com/
   - HTTP Status Codes - https://httpstatuses.com/
diff --git a/server/index.es b/server/index.es
index 72b44ea51aa..585a79691f4 100644
--- a/server/index.es
+++ b/server/index.es
@@ -1,5 +1,5 @@
 const
-  { cors, security, snuggsi, negotiator, assets }
+  { auth, cors, security, policy, compressor, snuggsi, negotiator, librarian, mixins, assets }
     = require ('middleware')
 
 
@@ -10,6 +10,7 @@ module.exports = class extends require ('koa') {
     for (let slice of [
       cors        // why is this NOT a function...
     , security `` // and this IS a function?
+    , policy
     , ... middleware
     , snuggsi
     ]) this.use (slice)
diff --git a/test/index.es b/test/index.es
index 2e486eb622c..ee4affc97ee 100644
--- a/test/index.es
+++ b/test/index.es
@@ -1,22 +1,25 @@
 console.warn ('loading test helper')
 
 const
-  { test }
+  fetch =
+    ( resource, ... options ) =>
+      require ('node-fetch') (resource, ... options)
+
+, { test, onFinish : finish }
     = require ('tape')
 
-, fetch
-    = ( resource, ... options ) =>
-      require ('node-fetch') (resource, ... options)
+
+finish (process.exit)
 
 
 module.exports = {
   test
 , fetch
-
-// See chunked responses
-// http://taylor.fausak.me/2013/02/17/testing-a-node-js-http-server-with-mocha/
-, get    : require ('http')
 , read   : require ('./read')
 , serve  : require ('./serve')
 , browse : require ('./browse')
+
+// See chunked responses
+// http://taylor.fausak.me/2013/02/17/testing-a-node-js-http-server-with-mocha/
+, get    : require ('http').get
 }
diff --git a/test/serve.es b/test/serve.es
index 34ad5b21b29..cde7cc4132a 100644
--- a/test/serve.es
+++ b/test/serve.es
@@ -2,8 +2,5 @@ const
   server = new (require ('server'))
 
 
-require ('tape')
-  .onFinish (process.exit)
-
 module.exports
   = server.serve.bind (server)
