fix(security): allow HTMX CDN and inline scripts in CSP

script-src now permits 'unsafe-inline' and https://unpkg.com so the autocomplete script and HTMX library load correctly.
2026-03-22 17:22:31 +00:00 · 2026-03-22 17:22:31 +00:00 · a9ae69cad5
commit a9ae69cad5
parent 2b072e4de3
1 changed files with 1 additions and 1 deletions
--- a/internal/middleware/security.go
+++ b/internal/middleware/security.go
@ -80,7 +80,7 @@ func SecurityHeaders(cfg SecurityHeadersConfig) func(http.Handler) http.Handler
 func defaultCSP() string {
 	return strings.Join([]string{
 		"default-src 'self'",
-		"script-src 'self'",
+		"script-src 'self' 'unsafe-inline' https://unpkg.com",
 		"style-src 'self' 'unsafe-inline'",
 		"img-src 'self' https: data:",
 		"connect-src 'self'",