From 7e67369600d2c4ad98ff7ea2bf5d7532ef728cd1 Mon Sep 17 00:00:00 2001 From: Vadym Samoilenko Date: Wed, 18 Mar 2026 22:03:33 +0000 Subject: [PATCH] Fix CSP violations: allow PostHog, TinaCMS visual editor framing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - script-src: add us-assets.i.posthog.com (TinaCMS bundles PostHog) - connect-src: add us.i.posthog.com, us-assets.i.posthog.com - frame-src: add ai-impress.com (TinaCMS visual editor iframes the site) - font-src: add data: (TinaCMS font loading) - X-Frame-Options: DENY → SAMEORIGIN (required for TinaCMS admin preview) Co-Authored-By: Claude Sonnet 4.6 --- server/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/nginx.conf b/server/nginx.conf index 1d9e7eb..6d07f8b 100644 --- a/server/nginx.conf +++ b/server/nginx.conf @@ -54,8 +54,8 @@ server { } # Security headers - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://cdn.mxpnl.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://lh3.googleusercontent.com https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://*.google-analytics.com https://*.analytics.google.com https://api-js.mixpanel.com https://api.mixpanel.com https://*.mixpanel.com https://*.mxpnl.com https://*.amplitude.com https://content.tinajs.io https://*.tinajs.io https://api.tinajs.io; frame-src https://www.youtube.com; media-src 'self'; worker-src 'self' blob:;" always; - add_header X-Frame-Options "DENY" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://cdn.mxpnl.com https://us-assets.i.posthog.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https://lh3.googleusercontent.com https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://*.google-analytics.com https://*.analytics.google.com https://api-js.mixpanel.com https://api.mixpanel.com https://*.mixpanel.com https://*.mxpnl.com https://*.amplitude.com https://content.tinajs.io https://*.tinajs.io https://api.tinajs.io https://us.i.posthog.com https://us-assets.i.posthog.com; frame-src https://www.youtube.com https://ai-impress.com; media-src 'self'; worker-src 'self' blob:;" always; + add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always;