369eef7bc3
All checks were successful
check / check (push) Successful in 4s
Add CSP header to all HTTP responses for defense-in-depth against XSS. The policy restricts all resource loading to same-origin and disables dangerous features (object embeds, framing, base tag injection). The embedded SPA requires no inline scripts or inline style attributes (Preact applies styles programmatically via DOM properties), so a strict policy without 'unsafe-inline' works correctly. Directives: default-src 'self' — baseline same-origin restriction script-src 'self' — same-origin scripts only style-src 'self' — same-origin stylesheets only connect-src 'self' — same-origin fetch/XHR only img-src 'self' — same-origin images only font-src 'self' — same-origin fonts only object-src 'none' — no plugin content frame-ancestors 'none' — prevent clickjacking base-uri 'self' — prevent base tag injection form-action 'self' — restrict form submissions
5.2 KiB
5.2 KiB