sneak/chat
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Content-Security-Policy middleware #64

Merged
sneak merged 2 commits from feat/csp-headers into main 2026-03-10 11:20:15 +01:00
Conversation 1 Commits 2 Files Changed 3 +38

2 Commits

Author SHA1 Message Date
clawbot
d6cfb2e897 docs: document CSP header in Security Model section
All checks were successful
check / check (push) Successful in 1m4s
Details
2026-03-10 03:15:49 -07:00
clawbot
369eef7bc3 feat: add Content-Security-Policy middleware
All checks were successful
check / check (push) Successful in 4s
Details 
Add CSP header to all HTTP responses for defense-in-depth against XSS.

The policy restricts all resource loading to same-origin and disables
dangerous features (object embeds, framing, base tag injection). The
embedded SPA requires no inline scripts or inline style attributes
(Preact applies styles programmatically via DOM properties), so a
strict policy without 'unsafe-inline' works correctly.

Directives:
  default-src 'self'      — baseline same-origin restriction
  script-src 'self'       — same-origin scripts only
  style-src 'self'        — same-origin stylesheets only
  connect-src 'self'      — same-origin fetch/XHR only
  img-src 'self'          — same-origin images only
  font-src 'self'         — same-origin fonts only
  object-src 'none'       — no plugin content
  frame-ancestors 'none'  — prevent clickjacking
  base-uri 'self'         — prevent base tag injection
  form-action 'self'      — restrict form submissions
 2026-03-10 03:15:02 -07:00