[Feature Request] Add Content-Security-Policy HTTP headers #385
Description
Is your feature request related to a problem?
Hi,
currently Gokapi does not send the Content-Security-Policy HTTP header for all pages served by the application (notably the header is missing from the appplication root /, /login page, /admin page...)
This header would provide additional security against potential malicious scripts or resources from third-party domains.
Could you add the header with an appropriate value to all applications responses? (as far as I can see, Gokapi does not load any third-party resources, to default-src 'self' should be fine)
(On a second look, I can see a third-party resources is loaeded by the StreamSaver mitm service worker on the download page (https://forceu.github.io/...), what is the purpose of this cross-site request?)
If that is not possible, let me know if this header should be set by the reverse proxy instead (in which case a mention in the docs would still be nice).
Thanks for your work on Gokapi
Describe the solution you'd like
All HTTP responses by the application should contain a Content-Security-Policy header
Describe alternatives you've considered
Configuring my reverse proxy to inject the header
Additional Context
No response
Impact
- This would be a breaking change to existing setups.