docs: document CSP header in Security Model section
All checks were successful
check / check (push) Successful in 1m4s
All checks were successful
check / check (push) Successful in 1m4s
This commit is contained in:
clawbot
@@ -1624,6 +1624,10 @@ authenticity.
|
||||
termination.
|
||||
- **CORS**: The server allows all origins by default (`Access-Control-Allow-Origin: *`).
|
||||
Restrict this in production via reverse proxy configuration if needed.
|
||||
- **Content-Security-Policy**: The server sets a strict CSP header on all
|
||||
responses, restricting resource loading to same-origin and disabling
|
||||
dangerous features (object embeds, framing, base tag injection). The
|
||||
embedded SPA works without `'unsafe-inline'` for scripts or styles.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user