@@ -17,6 +17,8 @@ const config: HeadersConfig = {
1717 pattern : '/*' ,
1818 headers : {
1919 'Content-Security-Policy' : {
20+ // Allow AJAX/fetch requests to status page, marketing site, HubSpot,
21+ // and Google services for analytics and tag management
2022 'connect-src' : [
2123 `'self'` ,
2224 'https://status.maxmind.com' ,
@@ -30,18 +32,28 @@ const config: HeadersConfig = {
3032 'https://*.g.doubleclick.net' ,
3133 'https://*.google.com' ,
3234 ] ,
35+ // Fallback for resources not covered by other directives
3336 'default-src' : [ `'self'` ] ,
37+ // Allow fonts from our site and Google Fonts
3438 'font-src' : [ `'self'` , 'https://fonts.gstatic.com' ] ,
39+ // Only allow form submissions to our own domain
3540 'form-action' : [ `'self'` ] ,
41+ // Prevent this site from being embedded in iframes on other domains
3642 'frame-ancestors' : [ `'self'` ] ,
43+ // Allow embedding content from HubSpot and Google services
3744 'frame-src' : [
3845 `'self'` ,
3946 'https://app.hubspot.com' ,
4047 'https://www.google.com' ,
4148 'https://www.googletagmanager.com' ,
4249 ] ,
50+ // Allow images from our site, data URIs, and any HTTPS source
4351 'img-src' : [ `'self'` , 'data:' , 'https:' ] ,
52+ // Block all plugins (Flash, Java, etc.)
4453 'object-src' : [ `'none'` ] ,
54+ // Allow scripts from our site, HubSpot, Google services, and inline scripts
55+ // 'unsafe-inline' needed for HubSpot and Google Tag Manager
56+ // 'report-sample' includes script sample in violation reports
4557 'script-src' : [
4658 `'self'` ,
4759 `'report-sample'` ,
@@ -57,6 +69,8 @@ const config: HeadersConfig = {
5769 'https://www.google.com' ,
5870 'https://*.googletagmanager.com' ,
5971 ] ,
72+ // Allow styles from our site, Google Fonts, and inline styles
73+ // 'unsafe-inline' needed for dynamic styling
6074 'style-src' : [
6175 `'self'` ,
6276 `'unsafe-inline'` ,
0 commit comments