From 9ed1e25a5668c693f6fe0d00f0694b4bebab0992 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Mon, 17 Nov 2025 18:01:49 +0100
Subject: [PATCH 1/3] chore(api,docs): update unpkg libraries, specify SRI hash

---
 api.go                         |  9 ++-------
 docs/docs/features/api-docs.md | 14 +++++---------
 2 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/api.go b/api.go
index e93c88fd..b1fcb9d9 100644
--- a/api.go
+++ b/api.go
@@ -488,20 +488,15 @@ func NewAPI(config Config, a Adapter) API {
     <meta name="referrer" content="same-origin" />
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
     <title>` + title + `</title>
-    <!-- Embed elements Elements via Web Component -->
-    <link href="https://unpkg.com/@stoplight/elements@9.0.0/styles.min.css" rel="stylesheet" />
-    <script src="https://unpkg.com/@stoplight/elements@9.0.0/web-components.min.js" integrity="sha256-Tqvw1qE2abI+G6dPQBc5zbeHqfVwGoamETU3/TSpUw4="
-            crossorigin="anonymous"></script>
+    <link rel="stylesheet" href="https://unpkg.com/@stoplight/elements@9.0.12/styles.min.css" crossorigin integrity="sha384-iVQBHadsD+eV0M5+ubRCEVXrXEBj+BqcuwjUwPoVJc0Pb1fmrhYSAhL+BFProHdV" />
+    <script src="https://unpkg.com/@stoplight/elements@9.0.12/web-components.min.js" crossorigin integrity="sha384-2AG+Hh93OYHuMcQJPPLM2671WnQzoHvHXh9FwbRfwMpyMLNc3++q/nJBKeVY0JMo"></script>
   </head>
   <body style="height: 100vh;">
-
     <elements-api
       apiDescriptionUrl="` + openAPIPath + `.yaml"
       router="hash"
-      layout="sidebar"
       tryItCredentialsPolicy="same-origin"
     />
-
   </body>
 </html>`))
 		})
diff --git a/docs/docs/features/api-docs.md b/docs/docs/features/api-docs.md
index baca3402..2c77399d 100644
--- a/docs/docs/features/api-docs.md
+++ b/docs/docs/features/api-docs.md
@@ -38,17 +38,13 @@ router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
     <meta name="referrer" content="same-origin" />
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
     <title>Docs Example reference</title>
-    <!-- Embed elements Elements via Web Component -->
-    <link href="https://unpkg.com/@stoplight/elements@8.0.0/styles.min.css" rel="stylesheet" />
-    <script src="https://unpkg.com/@stoplight/elements@8.0.0/web-components.min.js"
-            integrity="sha256-yIhuSFMJJ6mp2XTUAb4SiSYneP3Qav8Uu+7NBhGJW5A="
-            crossorigin="anonymous"></script>
+    <link rel="stylesheet" href="https://unpkg.com/@stoplight/elements@9.0.12/styles.min.css" crossorigin integrity="sha384-iVQBHadsD+eV0M5+ubRCEVXrXEBj+BqcuwjUwPoVJc0Pb1fmrhYSAhL+BFProHdV" />
+    <script src="https://unpkg.com/@stoplight/elements@9.0.12/web-components.min.js" crossorigin integrity="sha384-2AG+Hh93OYHuMcQJPPLM2671WnQzoHvHXh9FwbRfwMpyMLNc3++q/nJBKeVY0JMo"></script>
   </head>
   <body style="height: 100vh;">
     <elements-api
       apiDescriptionUrl="/openapi.yaml"
       router="hash"
-      layout="stacked"
       tryItCredentialsPolicy="same-origin"
     />
   </body>
@@ -84,7 +80,7 @@ router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
     <script
       id="api-reference"
       data-url="/openapi.json"></script>
-    <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
+    <script src="https://unpkg.com/@scalar/api-reference@1.39.3/dist/browser/standalone.js" crossorigin integrity="sha384-76/gvOpu0/XSY2z9BOX4MhHQJACTk0S2GW1Cwh9gRMhcf3sf7mYqKbmMA1PDl3mL"></script>
   </body>
 </html>`))
 })
@@ -112,11 +108,11 @@ router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <meta name="description" content="SwaggerUI" />
   <title>SwaggerUI</title>
-  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui.css" />
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.30.2/swagger-ui.css" crossorigin integrity="sha384-++DMKo1369T5pxDNqojF1F91bYxYiT1N7b1M15a7oCzEodfljztKlApQoH6eQSKI" />
 </head>
 <body>
 <div id="swagger-ui"></div>
-<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js" crossorigin></script>
+<script src="https://unpkg.com/swagger-ui-dist@5.30.2/swagger-ui-bundle.js" crossorigin integrity="sha384-bBdB196maIUakX6v2F6J0XcjddQfaENm8kASsYfqTKCZua9xlYNh1AdtL18PGr0D"></script>
 <script>
   window.onload = () => {
     window.ui = SwaggerUIBundle({

From 03bdd0b2e392cd507208f1980d13ec725a7c834b Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Mon, 17 Nov 2025 18:03:00 +0100
Subject: [PATCH 2/3] chore(api,docs): use strict CSPs for docs Web UI

---
 api.go                         | 11 +++++++++++
 docs/docs/features/api-docs.md | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/api.go b/api.go
index b1fcb9d9..44dfa5e8 100644
--- a/api.go
+++ b/api.go
@@ -477,6 +477,17 @@ func NewAPI(config Config, a Adapter) API {
 				openAPIPath = path.Join(prefix, openAPIPath)
 			}
 			ctx.SetHeader("Content-Type", "text/html")
+			// Very strict CSP so we never expose any data to the outside world
+			ctx.SetHeader("Content-Security-Policy",
+				"default-src 'none';"+
+					" base-uri 'none';"+
+					" connect-src 'self';"+
+					" form-action 'none';"+
+					" frame-ancestors 'none';"+
+					" sandbox allow-same-origin allow-scripts;"+
+					" script-src https://unpkg.com/;"+
+					" style-src 'unsafe-inline' https://unpkg.com/;"+
+					" trusted-types 'none'")
 			title := "Elements in HTML"
 			if config.Info != nil && config.Info.Title != "" {
 				title = config.Info.Title + " Reference"
diff --git a/docs/docs/features/api-docs.md b/docs/docs/features/api-docs.md
index 2c77399d..854aa623 100644
--- a/docs/docs/features/api-docs.md
+++ b/docs/docs/features/api-docs.md
@@ -31,6 +31,17 @@ api := humachi.New(router, config)
 
 router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html")
+	// Very strict CSP so we never expose any data to the outside world
+	w.Header().Set("Content-Security-Policy",
+		"default-src 'none';"+
+			" base-uri 'none';"+
+			" connect-src 'self';"+
+			" form-action 'none';"+
+			" frame-ancestors 'none';"+
+			" sandbox allow-same-origin allow-scripts;"+
+			" script-src https://unpkg.com/;"+
+			" style-src 'unsafe-inline' https://unpkg.com/;"+
+			" trusted-types 'none'")
 	w.Write([]byte(`<!doctype html>
 <html lang="en">
   <head>
@@ -67,6 +78,17 @@ api := humachi.New(router, config)
 
 router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html")
+	// Very strict CSP so we never expose any data to the outside world
+	w.Header().Set("Content-Security-Policy",
+		"default-src 'none';"+
+			" base-uri 'none';"+
+			" connect-src 'self';"+
+			" form-action 'none';"+
+			" frame-ancestors 'none';"+
+			" sandbox allow-same-origin allow-scripts;"+
+			" script-src 'unsafe-eval' https://unpkg.com/;"+ // TODO: Somehow drop 'unsafe-eval'
+			" style-src 'unsafe-inline' https://unpkg.com/;"+ // TODO: Somehow drop 'unsafe-inline'
+			" trusted-types 'none'")
 	w.Write([]byte(`<!doctype html>
 <html>
   <head>
@@ -101,6 +123,17 @@ api := humachi.New(router, config)
 
 router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html")
+	// Very strict CSP so we never expose any data to the outside world
+	w.Header().Set("Content-Security-Policy",
+		"default-src 'none';"+
+			" base-uri 'none';"+
+			" connect-src 'self';"+
+			" form-action 'none';"+
+			" frame-ancestors 'none';"+
+			" sandbox allow-same-origin allow-scripts;"+
+			" script-src https://unpkg.com/ 'sha256-SWB2p1nUb0MJzt5MoVlrz+PWYxv53T2z7GdKFxZm9i4=';"+
+			" style-src https://unpkg.com/;"+
+			" trusted-types 'none'")
 	w.Write([]byte(`<!DOCTYPE html>
 <html lang="en">
 <head>

From d8507bb2d454c7b8aa9ffa8230c81447092a1ca1 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Mon, 17 Nov 2025 18:08:48 +0100
Subject: [PATCH 3/3] chore(api,docs): use uniform HTML structure across all
 different API doc samples

---
 api.go                         |  23 +++----
 docs/docs/features/api-docs.md | 116 +++++++++++++++++----------------
 2 files changed, 71 insertions(+), 68 deletions(-)

diff --git a/api.go b/api.go
index 44dfa5e8..d7a1b7da 100644
--- a/api.go
+++ b/api.go
@@ -478,21 +478,22 @@ func NewAPI(config Config, a Adapter) API {
 			}
 			ctx.SetHeader("Content-Type", "text/html")
 			// Very strict CSP so we never expose any data to the outside world
-			ctx.SetHeader("Content-Security-Policy",
-				"default-src 'none';"+
-					" base-uri 'none';"+
-					" connect-src 'self';"+
-					" form-action 'none';"+
-					" frame-ancestors 'none';"+
-					" sandbox allow-same-origin allow-scripts;"+
-					" script-src https://unpkg.com/;"+
-					" style-src 'unsafe-inline' https://unpkg.com/;"+
-					" trusted-types 'none'")
+			csp := []string{
+				"default-src 'none'",
+				"base-uri 'none'",
+				"connect-src 'self'",
+				"form-action 'none'",
+				"frame-ancestors 'none'",
+				"sandbox allow-same-origin allow-scripts",
+				"script-src https://unpkg.com/",
+				"style-src 'unsafe-inline' https://unpkg.com/",
+			}
+			ctx.SetHeader("Content-Security-Policy", strings.Join(csp, "; "))
 			title := "Elements in HTML"
 			if config.Info != nil && config.Info.Title != "" {
 				title = config.Info.Title + " Reference"
 			}
-			ctx.BodyWriter().Write([]byte(`<!doctype html>
+			ctx.BodyWriter().Write([]byte(`<!DOCTYPE html>
 <html lang="en">
   <head>
     <meta charset="utf-8" />
diff --git a/docs/docs/features/api-docs.md b/docs/docs/features/api-docs.md
index 854aa623..b09788f2 100644
--- a/docs/docs/features/api-docs.md
+++ b/docs/docs/features/api-docs.md
@@ -32,22 +32,23 @@ api := humachi.New(router, config)
 router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html")
 	// Very strict CSP so we never expose any data to the outside world
-	w.Header().Set("Content-Security-Policy",
-		"default-src 'none';"+
-			" base-uri 'none';"+
-			" connect-src 'self';"+
-			" form-action 'none';"+
-			" frame-ancestors 'none';"+
-			" sandbox allow-same-origin allow-scripts;"+
-			" script-src https://unpkg.com/;"+
-			" style-src 'unsafe-inline' https://unpkg.com/;"+
-			" trusted-types 'none'")
-	w.Write([]byte(`<!doctype html>
+	csp := []string{
+		"default-src 'none'",
+		"base-uri 'none'",
+		"connect-src 'self'",
+		"form-action 'none'",
+		"frame-ancestors 'none'",
+		"sandbox allow-same-origin allow-scripts",
+		"script-src https://unpkg.com/",
+		"style-src 'unsafe-inline' https://unpkg.com/",
+	}
+	w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
+	w.Write([]byte(`<!DOCTYPE html>
 <html lang="en">
   <head>
     <meta charset="utf-8" />
-    <meta name="referrer" content="same-origin" />
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
+    <meta name="referrer" content="same-origin" />
     <title>Docs Example reference</title>
     <link rel="stylesheet" href="https://unpkg.com/@stoplight/elements@9.0.12/styles.min.css" crossorigin integrity="sha384-iVQBHadsD+eV0M5+ubRCEVXrXEBj+BqcuwjUwPoVJc0Pb1fmrhYSAhL+BFProHdV" />
     <script src="https://unpkg.com/@stoplight/elements@9.0.12/web-components.min.js" crossorigin integrity="sha384-2AG+Hh93OYHuMcQJPPLM2671WnQzoHvHXh9FwbRfwMpyMLNc3++q/nJBKeVY0JMo"></script>
@@ -79,24 +80,24 @@ api := humachi.New(router, config)
 router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html")
 	// Very strict CSP so we never expose any data to the outside world
-	w.Header().Set("Content-Security-Policy",
-		"default-src 'none';"+
-			" base-uri 'none';"+
-			" connect-src 'self';"+
-			" form-action 'none';"+
-			" frame-ancestors 'none';"+
-			" sandbox allow-same-origin allow-scripts;"+
-			" script-src 'unsafe-eval' https://unpkg.com/;"+ // TODO: Somehow drop 'unsafe-eval'
-			" style-src 'unsafe-inline' https://unpkg.com/;"+ // TODO: Somehow drop 'unsafe-inline'
-			" trusted-types 'none'")
-	w.Write([]byte(`<!doctype html>
-<html>
+	csp := []string{
+		"default-src 'none'",
+		"base-uri 'none'",
+		"connect-src 'self'",
+		"form-action 'none'",
+		"frame-ancestors 'none'",
+		"sandbox allow-same-origin allow-scripts",
+		"script-src 'unsafe-eval' https://unpkg.com/", // TODO: Somehow drop 'unsafe-eval'
+		"style-src 'unsafe-inline' https://unpkg.com/", // TODO: Somehow drop 'unsafe-inline'
+	}
+	w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
+	w.Write([]byte(`<!DOCTYPE html>
+<html lang="en">
   <head>
-    <title>API Reference</title>
     <meta charset="utf-8" />
-    <meta
-      name="viewport"
-      content="width=device-width, initial-scale=1" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="referrer" content="same-origin" />
+    <title>API Reference</title>
   </head>
   <body>
     <script
@@ -124,37 +125,38 @@ api := humachi.New(router, config)
 router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html")
 	// Very strict CSP so we never expose any data to the outside world
-	w.Header().Set("Content-Security-Policy",
-		"default-src 'none';"+
-			" base-uri 'none';"+
-			" connect-src 'self';"+
-			" form-action 'none';"+
-			" frame-ancestors 'none';"+
-			" sandbox allow-same-origin allow-scripts;"+
-			" script-src https://unpkg.com/ 'sha256-SWB2p1nUb0MJzt5MoVlrz+PWYxv53T2z7GdKFxZm9i4=';"+
-			" style-src https://unpkg.com/;"+
-			" trusted-types 'none'")
+	csp := []string{
+		"default-src 'none'",
+		"base-uri 'none'",
+		"connect-src 'self'",
+		"form-action 'none'",
+		"frame-ancestors 'none'",
+		"sandbox allow-same-origin allow-scripts",
+		"script-src https://unpkg.com/ 'sha256-pyvxInx2c2C9E/dNMA9dfGa9z3Lhk9YDz1ET62LbfZs='",
+		"style-src https://unpkg.com/",
+	}
+	w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
 	w.Write([]byte(`<!DOCTYPE html>
 <html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <meta name="description" content="SwaggerUI" />
-  <title>SwaggerUI</title>
-  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.30.2/swagger-ui.css" crossorigin integrity="sha384-++DMKo1369T5pxDNqojF1F91bYxYiT1N7b1M15a7oCzEodfljztKlApQoH6eQSKI" />
-</head>
-<body>
-<div id="swagger-ui"></div>
-<script src="https://unpkg.com/swagger-ui-dist@5.30.2/swagger-ui-bundle.js" crossorigin integrity="sha384-bBdB196maIUakX6v2F6J0XcjddQfaENm8kASsYfqTKCZua9xlYNh1AdtL18PGr0D"></script>
-<script>
-  window.onload = () => {
-    window.ui = SwaggerUIBundle({
-      url: '/openapi.json',
-      dom_id: '#swagger-ui',
-    });
-  };
-</script>
-</body>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="referrer" content="same-origin" />
+    <title>SwaggerUI</title>
+    <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.30.2/swagger-ui.css" crossorigin integrity="sha384-++DMKo1369T5pxDNqojF1F91bYxYiT1N7b1M15a7oCzEodfljztKlApQoH6eQSKI" />
+  </head>
+  <body>
+    <div id="swagger-ui"></div>
+    <script src="https://unpkg.com/swagger-ui-dist@5.30.2/swagger-ui-bundle.js" crossorigin integrity="sha384-bBdB196maIUakX6v2F6J0XcjddQfaENm8kASsYfqTKCZua9xlYNh1AdtL18PGr0D"></script>
+    <script>
+      window.onload = () => {
+        window.ui = SwaggerUIBundle({
+          url: '/openapi.json',
+          dom_id: '#swagger-ui',
+        });
+      };
+    </script>
+  </body>
 </html>`))
 })
 ```