diff --git a/deploy/helm/cheers/templates/frontend.yaml b/deploy/helm/cheers/templates/frontend.yaml index a3c14a13..6e1203b6 100644 --- a/deploy/helm/cheers/templates/frontend.yaml +++ b/deploy/helm/cheers/templates/frontend.yaml @@ -16,13 +16,15 @@ data: index index.html; # Security headers (audit M2): clickjacking + MIME-sniff + referrer + a - # minimal CSP. CSP is intentionally narrow (no script-src lockdown) to - # avoid breaking the Vite SPA; tighten with nonces later. No location here - # defines its own add_header, so these inherit to every response. + # hardened CSP. The production Vite build emits only external hashed module + # scripts (no inline