Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion backend/backend/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -689,4 +689,6 @@ def filter(self, record):
)
raise ValueError(ERROR_MESSAGE)

ENABLE_HIGHLIGHT_API_DEPLOYMENT = os.environ.get("ENABLE_HIGHLIGHT_API_DEPLOYMENT", False)
ENABLE_HIGHLIGHT_API_DEPLOYMENT = CommonUtils.str_to_bool(
os.environ.get("ENABLE_HIGHLIGHT_API_DEPLOYMENT", "False")
)
11 changes: 2 additions & 9 deletions frontend/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,8 @@ http {
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Content Security Policy (single quoted string required by nginx add_header)
# - 'unsafe-inline' in script-src: required for runtime-config.js injected at container start
# - 'unsafe-eval' in script-src: required by RJSF (React JSON Schema Form) which uses new Function()
# - 'unsafe-inline' in style-src: required by Ant Design CSS-in-JS
# - blob: in connect-src: required by PDF.js viewer for blob: URL document loading
# - cdn.jsdelivr.net: Monaco Editor loads from this CDN
# - unpkg.com: PDF.js worker
# - PostHog, GTM, reCAPTCHA, Stripe, Product Fruits: third-party services
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always;
# CSP in report-only mode: logs violations to browser console without blocking requests.
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.googletagmanager.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com https://app.productfruits.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://eu.i.posthog.com https://eu-assets.i.posthog.com; font-src 'self' data:; connect-src 'self' blob: wss: https://cdn.jsdelivr.net https://eu.i.posthog.com https://eu-assets.i.posthog.com https://www.google-analytics.com https://api.stripe.com https://app.productfruits.com; frame-src 'self' https://www.google.com/recaptcha/ https://recaptcha.google.com https://js.stripe.com https://hooks.stripe.com; worker-src 'self' blob: https://unpkg.com https://cdn.jsdelivr.net; object-src 'none'; base-uri 'self'; form-action 'self' https://checkout.stripe.com; frame-ancestors 'self'" always;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security CSP Downgraded to Report-Only Mode

Switching from Content-Security-Policy to Content-Security-Policy-Report-Only removes all CSP enforcement — the browser will only log violations and no longer block them. This means XSS payloads that the previous policy would have blocked (e.g., inline script injection, unauthorized connect-src destinations) will now execute freely. If this is a temporary debugging measure for a hotfix, it should be time-boxed and reverted promptly, as it weakens the application's primary XSS defense.

Prompt To Fix With AI
This is a comment left during a code review.
Path: frontend/nginx.conf
Line: 51

Comment:
**CSP Downgraded to Report-Only Mode**

Switching from `Content-Security-Policy` to `Content-Security-Policy-Report-Only` removes all CSP enforcement — the browser will only log violations and no longer block them. This means XSS payloads that the previous policy would have blocked (e.g., inline script injection, unauthorized `connect-src` destinations) will now execute freely. If this is a temporary debugging measure for a hotfix, it should be time-boxed and reverted promptly, as it weakens the application's primary XSS defense.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code


# Disable TRACE and TRACK methods
if ($request_method ~ ^(TRACE|TRACK)$) {
Expand Down
Loading