From 993d16d9208901839d23ec9c2965e14b06eaa1d3 Mon Sep 17 00:00:00 2001
From: Richard Bergsma <richard@365devnet.eu>
Date: Thu, 6 Nov 2025 12:40:45 +0100
Subject: [PATCH] Update Content-Security-Policy in server.js to enhance
 security

- Modified the Content-Security-Policy to allow 'unsafe-inline' for script-src, improving compatibility with existing scripts while maintaining security measures.
---
 server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server.js b/server.js
index c0f05fe..143193a 100644
--- a/server.js
+++ b/server.js
@@ -25,7 +25,7 @@ app.use((req, res, next) => {
   if (process.env.ENABLE_SSR_CSP === '1') {
     res.setHeader(
       'Content-Security-Policy',
-      "default-src 'self' https://365devnet.eu https://*.365devnet.eu; script-src 'self' 'wasm-unsafe-eval' 'nonce-astro' https://chat.365devnet.eu; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cdn.pixabay.com https://raw.githubusercontent.com; font-src 'self' data:; connect-src 'self' https://365devnet.eu https://chat.365devnet.eu wss://chat.365devnet.eu; frame-src https://chat.365devnet.eu; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+      "default-src 'self' https://365devnet.eu https://*.365devnet.eu; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' 'nonce-astro' https://chat.365devnet.eu; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cdn.pixabay.com https://raw.githubusercontent.com; font-src 'self' data:; connect-src 'self' https://365devnet.eu https://chat.365devnet.eu wss://chat.365devnet.eu; frame-src https://chat.365devnet.eu; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
     );
   }
   next();