Commit 5e8618a0 authored by Gandalf's avatar Gandalf
Browse files

feat: Add Content-Security-Policy-Report-Only header 

Add CSP in Report-Only mode to monitor potential violations before
enforcing the policy. This allows us to identify what resources would
be blocked and fine-tune the policy without breaking functionality.

The policy includes:
- script-src: self + unsafe-inline (Next.js) + wasm-unsafe-eval (HBAuth)
- style-src: self + unsafe-inline (React styling)
- img-src: self + https + data + blob
- connect-src: self + https (permissive for user-defined API endpoints)
- frame-src: whitelist for embedded content (Twitter, YouTube, etc.)
- worker-src: self + blob (HBAuth Web Workers)
- frame-ancestors: self (clickjacking protection)

Blog has additional frame-src entries for embedded content (Twitter,
Vimeo, YouTube, SoundCloud, Twitch, Spotify, 3speak, D.Tube, Odysee,
OpenHive Chat).

Violations are reported to /api/csp-report endpoint.

Closes #781
parent 9c97b217