@@ -17,64 +17,98 @@ const config: HeadersConfig = {
1717 pattern : '/*' ,
1818 headers : {
1919 'Content-Security-Policy' : {
20- // Allow AJAX/fetch requests to status page, marketing site, HubSpot,
21- // and Google services for analytics and tag management
2220 'connect-src' : [
2321 "'self'" ,
2422 'https://status.maxmind.com' ,
2523 'https://www.maxmind.com' ,
24+
25+ // https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
26+
27+ // HubSpot API
2628 'https://api.hubspot.com' ,
29+
30+ // HubSpot static assets (conversations embed)
2731 'https://static.hsappstatic.net' ,
32+
2833 'https://*.googleapis.com' ,
34+
35+ // https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
2936 'https://*.google-analytics.com' ,
3037 'https://*.analytics.google.com' ,
3138 'https://*.googletagmanager.com' ,
39+
40+ // https://developers.google.com/tag-platform/security/guides/csp#google_ads
3241 'https://*.g.doubleclick.net' ,
42+
43+ // Google domains (various TLDs for international support)
3344 'https://*.google.com' ,
3445 ] ,
35- // Fallback for resources not covered by other directives
3646 'default-src' : [ "'self'" ] ,
37- // Allow fonts from our site and Google Fonts
38- 'font-src' : [ "'self'" , 'https://fonts.gstatic.com' ] ,
39- // Only allow form submissions to our own domain
47+ 'font-src' : [
48+ "'self'" ,
49+
50+ // Loaded indirectly by Google Vertex search
51+ 'https://fonts.gstatic.com' ,
52+ ] ,
4053 'form-action' : [ "'self'" ] ,
41- // Prevent this site from being embedded in iframes on other domains
4254 'frame-ancestors' : [ "'self'" ] ,
43- // Allow embedding content from HubSpot and Google services
4455 'frame-src' : [
4556 "'self'" ,
57+
58+ // https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
59+
60+ // HubSpot calls-to-action (pop-ups) and chatflows
4661 'https://app.hubspot.com' ,
47- 'https://www.google.com' ,
62+
63+ // https://developers.google.com/tag-platform/security/guides/csp#google_ads
4864 'https://www.googletagmanager.com' ,
65+
66+ // Google Vertex search
67+ 'https://www.google.com' ,
4968 ] ,
50- // Allow images from our site, data URIs, and any HTTPS source
5169 'img-src' : [ "'self'" , 'data:' , 'https:' ] ,
52- // Block all plugins (Flash, Java, etc.)
5370 'object-src' : [ "'none'" ] ,
54- // Allow scripts from our site, HubSpot, Google services, and inline scripts
55- // 'unsafe-inline' needed for HubSpot and Google Tag Manager
56- // 'report-sample' includes script sample in violation reports
5771 'script-src' : [
5872 "'self'" ,
5973 "'report-sample'" ,
6074 "'unsafe-inline'" ,
75+
76+ // https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
77+
78+ // HubSpot tracking code
6179 'https://js.hs-scripts.com' ,
80+
81+ // HubSpot Analytics
6282 'https://js.hs-analytics.net' ,
83+
84+ // HubSpot cookie banner
6385 'https://js.hs-banner.com' ,
86+
87+ // HubSpot Conversations and Chatflows
6488 'https://js.usemessages.com' ,
89+
90+ // MaxMind marketing site
6591 'https://www.maxmind.com' ,
92+
93+ // Google Vertex search
6694 'https://cloud.google.com' ,
6795 'https://www.gstatic.com' ,
96+
97+ // https://developers.google.com/tag-platform/security/guides/csp#google_ads_conversions
6898 'https://www.googleadservices.com' ,
6999 'https://www.google.com' ,
100+
101+ // Google Tag Manager
70102 'https://*.googletagmanager.com' ,
71103 ] ,
72- // Allow styles from our site, Google Fonts, and inline styles
73- // 'unsafe-inline' needed for dynamic styling
74104 'style-src' : [
75105 "'self'" ,
76106 "'unsafe-inline'" ,
107+
108+ // Google Fonts API and Vertex search default styles
77109 'https://fonts.googleapis.com' ,
110+
111+ // Google static assets
78112 'https://www.gstatic.com' ,
79113 ] ,
80114 } ,
0 commit comments