summaryrefslogtreecommitdiff
path: root/internal/middleware/security.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/middleware/security.go')
-rw-r--r--internal/middleware/security.go7
1 files changed, 4 insertions, 3 deletions
diff --git a/internal/middleware/security.go b/internal/middleware/security.go
index 159a0e6..e048645 100644
--- a/internal/middleware/security.go
+++ b/internal/middleware/security.go
@@ -21,13 +21,14 @@ func SecurityHeaders(debug bool) func(http.Handler) http.Handler {
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
}
- // Content Security Policy - allow self, inline styles (Tailwind), and external images
+ // Content Security Policy - allow self, inline styles (Tailwind), external images, and embeds
w.Header().Set("Content-Security-Policy",
"default-src 'self'; "+
"img-src 'self' https: data:; "+
"script-src 'self' 'unsafe-inline' https://unpkg.com; "+
- "style-src 'self' 'unsafe-inline'; "+
- "font-src 'self' https:; "+
+ "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "+
+ "font-src 'self' https://fonts.gstatic.com; "+
+ "frame-src https://www.youtube.com https://embed.windy.com; "+
"connect-src 'self'")
next.ServeHTTP(w, r)
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-28 12:32:46 +0000