clawbot 706f5f6dcc feat: add Content-Security-Policy header for embedded web SPA ...

Set CSP header on all SPA-served responses to provide defense-in-depth
against XSS. The policy restricts scripts, styles, and all other
resource types to same-origin only, matching the SPA's actual behavior
(external CSS/JS files, same-origin fetch API calls, no WebSockets or
external resources).

2026-03-10 03:17:55 -07:00

3.4 KiB

Raw Blame History

View Raw