From 571e8b7961660aa193f755f8e4bb71e0984486da Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Mon, 1 Jun 2026 13:09:56 +0000
Subject: feat(security): add Content-Security-Policy

No CSP existed, leaving the app without defense-in-depth against XSS.
Add a SvelteKit nonce-based policy (mode: auto): script-src limited to
self + per-request nonce + the analytics/Vercel script hosts, object-src
none, base-uri and frame-ancestors self. img/style/font/connect stay
permissive (https:) so the image proxy, CDNs, fonts and the many
cross-origin API calls keep working; the two inline app.html scripts
carry %sveltekit.nonce%. Verified in-browser across routes (no
violations, HMR and hydration intact) and via a production build.
---
 src/app.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/app.html b/src/app.html
index a8eceb73..1f9fc4dd 100644
--- a/src/app.html
+++ b/src/app.html
@@ -94,7 +94,7 @@
     <meta name="msapplication-square310x310logo" content="mstile-310x310.png" />
 
     <!-- Umami is a simple, fast, and privacy-focused alternative to Google Analytics. -->
-    <script>
+    <script nonce="%sveltekit.nonce%">
       if (!['localhost', '127.0.0.1'].includes(window.location.hostname)) {
         const script = document.createElement('script');
 
@@ -106,7 +106,7 @@
       }
     </script>
 
-    <script>
+    <script nonce="%sveltekit.nonce%">
       window.global = window;
 
       aoButa = '';
-- 
cgit v1.2.3