feat: Add Content-Security-Policy-Report-Only header
Add CSP in Report-Only mode to monitor potential violations before enforcing the policy. This allows us to identify what resources would be blocked and fine-tune the policy without breaking functionality. The policy includes: - script-src: self + unsafe-inline (Next.js) + wasm-unsafe-eval (HBAuth) - style-src: self + unsafe-inline (React styling) - img-src: self + https + data + blob - connect-src: self + https (permissive for user-defined API endpoints) - frame-src: whitelist for embedded content (Twitter, YouTube, etc.) - worker-src: self + blob (HBAuth Web Workers) - frame-ancestors: self (clickjacking protection) Blog has additional frame-src entries for embedded content (Twitter, Vimeo, YouTube, SoundCloud, Twitch, Spotify, 3speak, D.Tube, Odysee, OpenHive Chat). Violations are reported to /api/csp-report endpoint. Closes #781
Loading
Please sign in to comment