Merge branch 'main' into feat/hashcash-pow

2026-03-10 11:21:21 +01:00
parent ff9a943e6d a98e0ca349
commit 2a3d2dc94c
3 changed files with 38 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -1640,6 +1640,10 @@ authenticity.
  termination.
 - **CORS**: The server allows all origins by default (`Access-Control-Allow-Origin: *`).
  Restrict this in production via reverse proxy configuration if needed.
+- **Content-Security-Policy**: The server sets a strict CSP header on all
+  responses, restricting resource loading to same-origin and disabling
+  dangerous features (object embeds, framing, base tag injection). The
+  embedded SPA works without `'unsafe-inline'` for scripts or styles.

 ---