Are settings web apllication in combination with the configuration server for CORS and security, if using CDN or external parts / scripts then look there.
( i vage remember there was a external script / css or something in webmin longer time ago but don’t know where an if it still is)
Or this one?
So test in browser debug/ dev mode to find out?
This test can help some.
Check your HTTP2 settings to Clear yes or no HTTP2 support and yes or no OCSP stapling support needed - General Discussion - Virtualmin Community
Analyse your HTTP response headers (securityheaders.com)
Is set globally OK for your box or other setting…?
For the webmin dev @Ilia is this script a solution to build in for some testing webmin virtualmin?