Skip to content

Security: Enable Content Security Policy#54

Open
bellisabell wants to merge 1 commit intomainfrom
bell/enable-csp
Open

Security: Enable Content Security Policy#54
bellisabell wants to merge 1 commit intomainfrom
bell/enable-csp

Conversation

@bellisabell
Copy link
Copy Markdown
Contributor

@bellisabell bellisabell commented Mar 4, 2026

Summary

Enable Content Security Policy (CSP) to protect against XSS and other injection attacks.

Changes

  • Uncomment and configure the CSP initializer
  • default-src: self - restrict resources to same origin by default
  • font-src: Allow Google Fonts (fonts.gstatic.com) and data URIs
  • img-src: Allow https, data:, and blob: for images (supports external images and file uploads)
  • script-src: Use self with strict-dynamic and nonces for Turbo/Stimulus compatibility
  • style-src: Allow Google Fonts CSS and unsafe-inline (needed for accent color inline styles)
  • connect-src: Allow self and https for API calls
  • frame-src: Allow tally.so for embedded forms
  • object-src: none (security best practice)
  • base-uri: self (prevent base tag hijacking)
  • form-action: self (restrict form submissions)

Security

This addresses a HIGH severity issue. A disabled CSP leaves the application vulnerable to:

  • Cross-Site Scripting (XSS) attacks
  • Data injection attacks
  • Clickjacking (partially)

Testing

After deployment, verify:

  1. Turbo/Stimulus features work correctly (nonces should handle inline scripts)
  2. Google Fonts load properly
  3. Images display correctly
  4. Tally.so forms embed successfully
  5. No CSP violations in browser console

If issues arise, consider enabling report_only mode first to identify violations before enforcing.

Closes #18

@bellisabell
Enable Content Security Policy
7ac4705 
- Uncomment and configure CSP initializer
- Allow Google Fonts for font sources
- Use nonces for script sources (Turbo/Stimulus compatible)
- Allow unsafe-inline for styles (needed for accent colors)
- Allow common image sources including https, data, and blob
- Allow tally.so for embedded forms
- Set strict defaults: object-src none, base-uri self, form-action self

Security: Closes #18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@philipithomas philipithomas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Content Security Policy (CSP) is completely disabled

2 participants

@bellisabell @philipithomas