From e905c78f5236c4fdd531f3bc070e9de2392de187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Gierwia=C5=82o?= Date: Sat, 6 Dec 2025 17:28:12 +0100 Subject: [PATCH] fix(csp): remove duplicate CSP from nginx and allow Cloudflare Turnstile - Updated backend/src/app.js to allow Cloudflare domains in CSP - Added https://challenges.cloudflare.com to scriptSrc - Added https://challenges.cloudflare.com to connectSrc - Added https://challenges.cloudflare.com to frameSrc - Removed duplicate CSP from nginx/conf.d.prod/default.conf - CSP is now managed only by backend Helmet middleware - Prevents conflicting security policies --- nginx/conf.d.prod/default.conf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/nginx/conf.d.prod/default.conf b/nginx/conf.d.prod/default.conf index 01f84c9..9a1594b 100644 --- a/nginx/conf.d.prod/default.conf +++ b/nginx/conf.d.prod/default.conf @@ -12,16 +12,13 @@ server { client_max_body_size 500M; - # Security headers + # Security headers (CSP is set by backend Helmet middleware) add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; - # Strict Content Security Policy for production - add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';" always; - # Block access to sensitive files and directories location ~ /\. { deny all;