feat(security): implement CSP

2025-12-13 04:37:36 +01:00 · 2025-11-25 09:27:05 -06:00
parent 72539f9ba3
commit 9462e90f4f
1 changed files with 13 additions and 1 deletions
--- a/website/server/middlewares/index.js
+++ b/website/server/middlewares/index.js
@@ -66,7 +66,19 @@ export default function attachMiddlewares (app, server) {
  // See https://helmetjs.github.io/ for the list of headers enabled by default
  app.use(helmet({
    // New middlewares added by default in Helmet 4 are disabled
-    contentSecurityPolicy: false, // @TODO implement
+    contentSecurityPolicy: {
+      directives: {
+        imgSrc: null,
+        scriptSrc: [
+          '\'self\'',
+          'cloudfront.loggly.com',
+          'js.stripe.com',
+          'm.stripe.network',
+          'static-na.payments-amazon.com',
+        ],
+        upgradeInsecureRequests: IS_PROD ? [] : null,
+      },
+    },
    expectCt: false,
    permittedCrossDomainPolicies: false,
    referrerPolicy: false,