@@ -17,64 +17,102 @@ const config: HeadersConfig = {
1717 pattern : '/*' ,
1818 headers : {
1919 'Content-Security-Policy' : {
20- // Allow AJAX/fetch requests to status page, marketing site, HubSpot,
21- // and Google services for analytics and tag management
2220 'connect-src' : [
2321 "'self'" ,
2422 'https://status.maxmind.com' ,
2523 'https://www.maxmind.com' ,
24+
25+ // eslint-disable-next-line max-len
26+ // https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
27+
28+ // HubSpot API
2629 'https://api.hubspot.com' ,
30+
31+ // HubSpot static assets (conversations embed)
2732 'https://static.hsappstatic.net' ,
33+
2834 'https://*.googleapis.com' ,
35+
36+ // eslint-disable-next-line max-len
37+ // https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
2938 'https://*.google-analytics.com' ,
3039 'https://*.analytics.google.com' ,
3140 'https://*.googletagmanager.com' ,
41+
42+ // https://developers.google.com/tag-platform/security/guides/csp#google_ads
3243 'https://*.g.doubleclick.net' ,
44+
45+ // Google domains (various TLDs for international support)
3346 'https://*.google.com' ,
3447 ] ,
35- // Fallback for resources not covered by other directives
3648 'default-src' : [ "'self'" ] ,
37- // Allow fonts from our site and Google Fonts
38- 'font-src' : [ "'self'" , 'https://fonts.gstatic.com' ] ,
39- // Only allow form submissions to our own domain
49+ 'font-src' : [
50+ "'self'" ,
51+
52+ // Loaded indirectly by Google Vertex search
53+ 'https://fonts.gstatic.com' ,
54+ ] ,
4055 'form-action' : [ "'self'" ] ,
41- // Prevent this site from being embedded in iframes on other domains
4256 'frame-ancestors' : [ "'self'" ] ,
43- // Allow embedding content from HubSpot and Google services
4457 'frame-src' : [
4558 "'self'" ,
59+
60+ // eslint-disable-next-line max-len
61+ // https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
62+
63+ // HubSpot calls-to-action (pop-ups) and chatflows
4664 'https://app.hubspot.com' ,
47- 'https://www.google.com' ,
65+
66+ // https://developers.google.com/tag-platform/security/guides/csp#google_ads
4867 'https://www.googletagmanager.com' ,
68+
69+ // Google Vertex search
70+ 'https://www.google.com' ,
4971 ] ,
50- // Allow images from our site, data URIs, and any HTTPS source
5172 'img-src' : [ "'self'" , 'data:' , 'https:' ] ,
52- // Block all plugins (Flash, Java, etc.)
5373 'object-src' : [ "'none'" ] ,
54- // Allow scripts from our site, HubSpot, Google services, and inline scripts
55- // 'unsafe-inline' needed for HubSpot and Google Tag Manager
56- // 'report-sample' includes script sample in violation reports
5774 'script-src' : [
5875 "'self'" ,
5976 "'report-sample'" ,
6077 "'unsafe-inline'" ,
78+
79+ // eslint-disable-next-line max-len
80+ // https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
81+
82+ // HubSpot tracking code
6183 'https://js.hs-scripts.com' ,
84+
85+ // HubSpot Analytics
6286 'https://js.hs-analytics.net' ,
87+
88+ // HubSpot cookie banner
6389 'https://js.hs-banner.com' ,
90+
91+ // HubSpot Conversations and Chatflows
6492 'https://js.usemessages.com' ,
93+
94+ // MaxMind marketing site
6595 'https://www.maxmind.com' ,
96+
97+ // Google Vertex search
6698 'https://cloud.google.com' ,
6799 'https://www.gstatic.com' ,
100+
101+ // https://developers.google.com/tag-platform/security/guides/csp#google_ads_conversions
68102 'https://www.googleadservices.com' ,
69103 'https://www.google.com' ,
104+
105+ // Google Tag Manager
70106 'https://*.googletagmanager.com' ,
71107 ] ,
72- // Allow styles from our site, Google Fonts, and inline styles
73- // 'unsafe-inline' needed for dynamic styling
74108 'style-src' : [
75109 "'self'" ,
76110 "'unsafe-inline'" ,
111+
112+ // Google Fonts API and Vertex search default styles
77113 'https://fonts.googleapis.com' ,
114+
115+ // Google static assets
78116 'https://www.gstatic.com' ,
79117 ] ,
80118 } ,
0 commit comments