Checking production config for API

stever · stever · commit 7a8e2f8cfe32 · 2025-10-05T11:36:05.000+01:00
diff --git a/apps/proxy/prod.Caddyfile b/apps/proxy/prod.Caddyfile
@@ -1,28 +1,4 @@
 :8080 {
-    # Strict Content Security Policy for production
-    header {
-        # Remove server identification headers
-        -Server
-        -X-Powered-By
-
-        # Security headers
-        X-Frame-Options "DENY"
-        X-Content-Type-Options "nosniff"
-        Referrer-Policy "strict-origin-when-cross-origin"
-        X-XSS-Protection "1; mode=block"
-        Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"
-
-        # Strict Transport Security (HSTS) - enable if using HTTPS
-        # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-
-        # Production CSP
-        # Using hash for inline script instead of 'unsafe-inline'
-        Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'sha256-HlD9D/WlEaVKKAvDnldsXkj/nllO8aCRBvtofUTEnGQ='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss://*.zxcoder.org https://*.zxcoder.org; worker-src 'self' blob:; child-src 'self' blob:; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
-
-        # CSP Report endpoint (optional - set up monitoring)
-        # Report-To "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"https://your-report-collector.example.com/csp-reports\"}]}"
-    }
-
     redir /auth /auth/
     handle /auth/* {
         uri strip_prefix /auth
