diff --git a/Caddyfile b/Caddyfile index fd7261c..20b6ae9 100644 --- a/Caddyfile +++ b/Caddyfile @@ -8,6 +8,19 @@ root * /srv encode zstd gzip + # Security headers (FO-SEC-03). CSP allows self + the two pinned CDNs, the + # CARTO basemap (styles/tiles/fonts) and the fleet APIs; SRI in index.html + # pins the CDN payloads themselves. frame-ancestors 'none' = no clickjacking. + # script-src keeps 'unsafe-inline' because the whole app is one inline + # - + + - - + +