2026-03-10 11:20:15 +01:00
1 changed files with 4 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -1624,6 +1624,10 @@ authenticity.
  termination.
 - **CORS**: The server allows all origins by default (`Access-Control-Allow-Origin: *`).
  Restrict this in production via reverse proxy configuration if needed.
+- **Content-Security-Policy**: The server sets a strict CSP header on all
+  responses, restricting resource loading to same-origin and disabling
+  dangerous features (object embeds, framing, base tag injection). The
+  embedded SPA works without `'unsafe-inline'` for scripts or styles.

 ---