From 9462e90f4f3058f4014137b3178b9751c5280e97 Mon Sep 17 00:00:00 2001
From: Kalista Payne <kalista@habitica.com>
Date: Tue, 25 Nov 2025 09:27:05 -0600
Subject: [PATCH] feat(security): implement CSP

---
 website/server/middlewares/index.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/website/server/middlewares/index.js b/website/server/middlewares/index.js
index 4cd0df9ace..6507e28a05 100644
--- a/website/server/middlewares/index.js
+++ b/website/server/middlewares/index.js
@@ -66,7 +66,19 @@ export default function attachMiddlewares (app, server) {
   // See https://helmetjs.github.io/ for the list of headers enabled by default
   app.use(helmet({
     // New middlewares added by default in Helmet 4 are disabled
-    contentSecurityPolicy: false, // @TODO implement
+    contentSecurityPolicy: {
+      directives: {
+        imgSrc: null,
+        scriptSrc: [
+          '\'self\'',
+          'cloudfront.loggly.com',
+          'js.stripe.com',
+          'm.stripe.network',
+          'static-na.payments-amazon.com',
+        ],
+        upgradeInsecureRequests: IS_PROD ? [] : null,
+      },
+    },
     expectCt: false,
     permittedCrossDomainPolicies: false,
     referrerPolicy: false,