From 571e8b7961660aa193f755f8e4bb71e0984486da Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Mon, 1 Jun 2026 13:09:56 +0000
Subject: feat(security): add Content-Security-Policy

No CSP existed, leaving the app without defense-in-depth against XSS.
Add a SvelteKit nonce-based policy (mode: auto): script-src limited to
self + per-request nonce + the analytics/Vercel script hosts, object-src
none, base-uri and frame-ancestors self. img/style/font/connect stay
permissive (https:) so the image proxy, CDNs, fonts and the many
cross-origin API calls keep working; the two inline app.html scripts
carry %sveltekit.nonce%. Verified in-browser across routes (no
violations, HMR and hydration intact) and via a production build.
---
 svelte.config.js | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'svelte.config.js')

diff --git a/svelte.config.js b/svelte.config.js
index 1f92f2c7..9ef30e18 100644
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -13,6 +13,29 @@ const config = {
 			$graphql: "./src/graphql",
 			$houdini: "./$houdini",
 		},
+		csp: {
+			mode: "auto",
+			directives: {
+				"default-src": ["self"],
+				"script-src": [
+					"self",
+					"https://analytics.fuwn.me",
+					"https://va.vercel-scripts.com",
+				],
+				"style-src": ["self", "unsafe-inline", "https://proxy.due.moe"],
+				"font-src": [
+					"self",
+					"data:",
+					"https://fonts.gstatic.com",
+					"https://proxy.due.moe",
+				],
+				"img-src": ["self", "data:", "blob:", "https:"],
+				"connect-src": ["self", "https:", "ws:", "wss:"],
+				"object-src": ["none"],
+				"base-uri": ["self"],
+				"frame-ancestors": ["self"],
+			},
+		},
 	},
 	split: true,
 };
-- 
cgit v1.2.3