Skip to content

Tighten Content Security Policy (remove unsafe-inline/unsafe-eval) #88

Open
Open
Tighten Content Security Policy (remove unsafe-inline/unsafe-eval)#88
Labels
hardeningSecurity hardening
@tacheraSasi

Description

@tacheraSasi
tacheraSasi
opened on Feb 16, 2026

Summary

Tighten the Content Security Policy and remove unsafe-inline/unsafe-eval to strengthen XSS protection.

Current State

  • CSP is set in pkg/middleware/security.go
  • Currently allows 'unsafe-inline' for styles and 'unsafe-eval' + 'unsafe-inline' for scripts
  • This significantly weakens XSS protection

Tasks

  • Remove 'unsafe-eval' from script-src (refactor frontend if needed)
  • Replace 'unsafe-inline' in script-src with nonce-based CSP
  • Generate per-request nonce and inject into HTML template
  • Add form-action 'self' directive
  • Add base-uri 'self' directive
  • Add upgrade-insecure-requests when TLS is active
  • Test frontend still works after CSP tightening
  • Consider adding report-uri or report-to for CSP violation monitoring

Why

unsafe-inline and unsafe-eval in CSP effectively disable XSS protection. Tightening CSP is a high-impact security hardening step.

Metadata

Metadata

Assignees

No one assigned

    Labels

    hardeningSecurity hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions