Skip to content

fix(security): replace CSP unsafe-inline with sha256 script hashes#824

Open
NewCoder3294 wants to merge 1 commit intokoala73:mainfrom
NewCoder3294:fix/csp-unsafe-inline
Open

fix(security): replace CSP unsafe-inline with sha256 script hashes#824
NewCoder3294 wants to merge 1 commit intokoala73:mainfrom
NewCoder3294:fix/csp-unsafe-inline

Conversation

@NewCoder3294
Copy link
Contributor

@NewCoder3294 NewCoder3294 commented Mar 2, 2026

Summary

  • Replaced 'unsafe-inline' in the script-src directive of the Content-Security-Policy header in vercel.json with explicit SHA256 hashes of all known inline scripts
  • This hardens the CSP by only allowing specific, pre-approved inline scripts to execute, preventing XSS attacks via arbitrary inline script injection
  • The sha256 hashes match those already present in the index.html <meta> CSP tag, ensuring consistency between the HTTP header and meta tag policies

Inline scripts hashed

Script Hash
Theme/variant init (FOUC prevention) sha256-LnMFPWZxTgVOr2VYwIh9mhQ3l/l3+a3SfNOLERnuHfY=
Vite module preload polyfill sha256-+SFBjfmi2XfnyAT3POBxf6JIKYDcNXtllPclOcaNBI0=
Vite build-injected script sha256-AhZAmdCW6h8iXMyBcvIrqN71FGNk4lwLD+lPxx43hxg=
Vite build-injected script sha256-PnEBZii+iFaNE2EyXaJhRq34g6bdjRJxpLfJALdXYt8=

Security benefit

'unsafe-inline' in script-src effectively disables one of the most important CSP protections — it allows any inline <script> tag to execute, which is the primary vector for XSS attacks. By replacing it with sha256 hashes, only the exact known inline scripts are permitted. Any injected malicious script will be blocked by the browser.

Test plan

  • npx tsx --test tests/deploy-config.test.mjs — all 13 tests pass, including the specific test "CSP script-src uses hashes instead of unsafe-inline" (line 143-147)
  • Verify deployed site loads correctly (theme init script, Vite module preload, etc.)
  • Check browser console for CSP violation errors after deployment

🤖 Generated with Claude Code

@NewCoder3294 @claude
fix(security): replace CSP unsafe-inline with sha256 script hashes
5c276ad 
The Content-Security-Policy header in vercel.json used 'unsafe-inline'
for script-src, which weakens the security policy by allowing any inline
script to execute. Replace it with explicit SHA256 hashes of the known
inline scripts, matching the hashes already present in the index.html
meta CSP tag.

Hashed inline scripts:
- Theme/variant init script (FOUC prevention): sha256-LnMFPWZxTgVOr2VYwIh9mhQ3l/l3+a3SfNOLERnuHfY=
- Vite module preload polyfill: sha256-+SFBjfmi2XfnyAT3POBxf6JIKYDcNXtllPclOcaNBI0=
- Vite build injected scripts: sha256-AhZAmdCW6h8iXMyBcvIrqN71FGNk4lwLD+lPxx43hxg=, sha256-PnEBZii+iFaNE2EyXaJhRq34g6bdjRJxpLfJALdXYt8=

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vercel
Copy link

vercel bot commented Mar 2, 2026

@NewCoder3294 is attempting to deploy a commit to the Elie Team on Vercel.

A member of the Team first needs to authorize it.

@koala73 koala73 added Not Ready to Merge PR has conflicts, failing checks, or needs work High Value Meaningful contribution to the project labels Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

High Value Meaningful contribution to the project Not Ready to Merge PR has conflicts, failing checks, or needs work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NewCoder3294 @koala73