feat(security): add Content-Security-Policy

No CSP existed, leaving the app without defense-in-depth against XSS.
Add a SvelteKit nonce-based policy (mode: auto): script-src limited to
self + per-request nonce + the analytics/Vercel script hosts, object-src
none, base-uri and frame-ancestors self. img/style/font/connect stay
permissive (https:) so the image proxy, CDNs, fonts and the many
cross-origin API calls keep working; the two inline app.html scripts
carry %sveltekit.nonce%. Verified in-browser across routes (no
violations, HMR and hydration intact) and via a production build.

1 files changed, 23 insertions, 0 deletions

diff --git a/svelte.config.js b/svelte.config.js
index 1f92f2c7..9ef30e18 100644
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -13,6 +13,29 @@ const config = {
 			$graphql: "./src/graphql",
 			$houdini: "./$houdini",
 		},
+		csp: {
+			mode: "auto",
+			directives: {
+				"default-src": ["self"],
+				"script-src": [
+					"self",
+					"https://analytics.fuwn.me",
+					"https://va.vercel-scripts.com",
+				],
+				"style-src": ["self", "unsafe-inline", "https://proxy.due.moe"],
+				"font-src": [
+					"self",
+					"data:",
+					"https://fonts.gstatic.com",
+					"https://proxy.due.moe",
+				],
+				"img-src": ["self", "data:", "blob:", "https:"],
+				"connect-src": ["self", "https:", "ws:", "wss:"],
+				"object-src": ["none"],
+				"base-uri": ["self"],
+				"frame-ancestors": ["self"],
+			},
+		},
 	},
 	split: true,
 };