Skip to content

Commit a078b34

Browse files
kevingorskiclaude
andcommitted
Apply Fresh 2's csp middleware globally with project img-src extension
Replaces the per-route useCSP() hook (deleted alongside utils/csp.ts in the previous commit) with the Fresh 2 built-in `csp` middleware applied at the App level. This is strictly more secure than the Fresh 1 setup: CSP now applies to every route, not just the three deletion/account pages that explicitly opted in. Configuration: - `useNonce: true` swaps the default 'unsafe-inline' allowance for per-request nonces that Fresh auto-injects into the inline scripts/styles it emits during render. - The single override extends `img-src` to permit `avatars.github usercontent.com` (OAuth-provided GitHub avatars) and `www.gravatar.com` (developer profile avatars). The Fresh 2 defaults cover everything else: default-src 'self', script/style via nonces, frame-ancestors 'none', base-uri 'self', form-action 'self', upgrade-insecure-requests, etc. Tests unchanged (11 pass, e2e still ignored pending build-cache test harness — tracked separately). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 parent 0bf7612 commit a078b34

1 file changed

Lines changed: 19 additions & 1 deletion

File tree

main.ts

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,27 @@
1-
import { App, staticFiles } from "fresh";
1+
import { App, csp, staticFiles } from "fresh";
22
import type { State } from "@/routes/_middleware.ts";
33

44
export const app = new App<State>();
55

66
app.use(staticFiles());
7+
8+
// Content-Security-Policy. Fresh 2's `csp` middleware ships sensible
9+
// defaults (default-src 'self', script/style-src 'self' 'unsafe-inline',
10+
// frame-ancestors 'none', base-uri 'self', upgrade-insecure-requests, etc.);
11+
// `useNonce: true` swaps the 'unsafe-inline' allowance for per-request
12+
// nonces that Fresh injects into the inline scripts/styles it emits.
13+
//
14+
// We only need to extend `img-src` to permit the two avatar hosts used by
15+
// developer profiles: GitHub OAuth avatars and Gravatar.
16+
app.use(
17+
csp({
18+
useNonce: true,
19+
csp: [
20+
"img-src 'self' data: avatars.githubusercontent.com www.gravatar.com",
21+
],
22+
}),
23+
);
24+
725
app.fsRoutes();
826

927
if (import.meta.main) {

0 commit comments

Comments
 (0)