Skip to content

Commit e64bc34

Browse files
Deepak-KesavanDeepak-Kesavan
authored
Change csp to report only
1 parent d84b724 commit e64bc34

File tree

1 file changed

+2
-9
lines changed

1 file changed

+2
-9
lines changed

frontend/nginx.conf

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -47,15 +47,8 @@ http {
4747
add_header X-Frame-Options "SAMEORIGIN" always;
4848
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
4949

50-
# Content Security Policy (single quoted string required by nginx add_header)
51-
# - 'unsafe-inline' in script-src: required for runtime-config.js injected at container start
52-
# - 'unsafe-eval' in script-src: required by RJSF (React JSON Schema Form) which uses new Function()
53-
# - 'unsafe-inline' in style-src: required by Ant Design CSS-in-JS
54-
# - blob: in connect-src: required by PDF.js viewer for blob: URL document loading
55-
# - cdn.jsdelivr.net: Monaco Editor loads from this CDN
56-
# - unpkg.com: PDF.js worker
57-
# - PostHog, GTM, reCAPTCHA, Stripe, Product Fruits: third-party services
58-
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always;
50+
# CSP in report-only mode: logs violations to browser console without blocking requests.
51+
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://cdn.jsdelivr.net https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always;
5952

6053
# Disable TRACE and TRACK methods
6154
if ($request_method ~ ^(TRACE|TRACK)$) {

0 commit comments

Comments
 (0)