dev day #79

internal/middleware/security_headers.go

@@ -29,7 +29,11 @@ func SecurityHeaders() gin.HandlerFunc {
 		}
 
 		// Strict Content-Security-Policy
-		csp := buildCSP(config.AppConfig.AppEnv == "production")
+		// Prefer configured CSP from environment/config, otherwise build a safe default
+		csp := config.AppConfig.ContentSecurityPolicy
+		if csp == "" {
+			csp = buildCSP(config.AppConfig.AppEnv == "production")
+		}
 		c.Header("Content-Security-Policy", csp)
 
 		// Additional security headers
@@ -46,13 +50,13 @@ func SecurityHeaders() gin.HandlerFunc {
 // buildCSP creates a strict Content-Security-Policy
 func buildCSP(production bool) string {
 	if production {
-		// Strict production CSP
+		// Generic production CSP without hardcoded domains
 		return "default-src 'self'; " +
-			"script-src 'self' https://fonts.googleapis.com https://umami.tdvorak.dev; " +
-			"style-src 'self' https://fonts.googleapis.com; " +
+			"script-src 'self' 'unsafe-inline'; " +
+			"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; " +
 			"font-src 'self' https://fonts.gstatic.com data:; " +
 			"img-src 'self' data: https: blob:; " +
-			"connect-src 'self' https://umami.tdvorak.dev https://zonerama.tdvorak.dev; " +
+			"connect-src 'self' https:; " +
 			"frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; " +
 			"object-src 'none'; " +
 			"base-uri 'self'; " +
@@ -61,9 +65,9 @@ func buildCSP(production bool) string {
 			"upgrade-insecure-requests;"
 	}
 
-	// Development CSP - slightly relaxed for local development
+	// Development CSP - relaxed for local development
 	return "default-src 'self'; " +
-		"script-src 'self' 'unsafe-eval' 'unsafe-inline' https://fonts.googleapis.com https://umami.tdvorak.dev; " +
+		"script-src 'self' 'unsafe-eval' 'unsafe-inline' https://fonts.googleapis.com; " +
 		"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; " +
 		"font-src 'self' https://fonts.gstatic.com data:; " +
 		"img-src 'self' data: https: http: blob:; " +