From 419c2d70de392ae434b15824cac0d9dda2f50fb4 Mon Sep 17 00:00:00 2001
From: Aryan Bansal <aryanbansalpvt@gmail.com>
Date: Sat, 13 Jun 2026 11:38:17 +0530
Subject: [PATCH] fix: add Content-Security-Policy header to all responses
 (#848)

- Add CSP header restricting script, style, and resource sources
- Prevents XSS and unauthorized resource loading
---
 app.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/app.py b/app.py
index 57f20cb..879112d 100644
--- a/app.py
+++ b/app.py
@@ -38,6 +38,24 @@ def add_security_headers(response):
     response.headers["Permissions-Policy"] = (
         "geolocation=(), microphone=(), camera=()"
     )
+    response.headers["Content-Security-Policy"] = (
+        "default-src 'self'; "
+        "script-src 'self' 'unsafe-inline'; "
+        "style-src 'self' 'unsafe-inline'; "
+        "img-src 'self' data:; "
+        "font-src 'self'; "
+        "connect-src 'self'; "
+        "frame-ancestors 'none'"
+    )
+    response.headers["Content-Security-Policy"] = (
+        "default-src 'self'; "
+        "script-src 'self' 'unsafe-inline'; "
+        "style-src 'self' 'unsafe-inline'; "
+        "img-src 'self' data:; "
+        "font-src 'self'; "
+        "connect-src 'self'; "
+        "frame-ancestors 'none'"
+    )
     return response