Private
Public Access
1
0

Replace unsafe-inline with CSP nonces for script-src

SvelteKit now handles script-src with automatic nonces via its
built-in CSP support. The hooks handler merges extra directives
(style-src, font-src, img-src, etc.) onto SvelteKit's nonce-based
policy for page responses, and sets a full CSP for API responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Catherine Renelle
2026-03-09 08:16:45 -04:00
parent b05521add6
commit 2d4c3a57da
2 changed files with 17 additions and 1 deletions
+6
View File
@@ -8,6 +8,12 @@ const config = {
$components: 'src/lib/components',
$server: 'src/lib/server',
$utils: 'src/lib/utils'
},
csp: {
directives: {
'default-src': ['self'],
'script-src': ['self']
}
}
}
};