max / makenotwork

Remove duplicate security headers from Caddy The app sets its own CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Caddy was adding a second set, and browsers enforce the intersection of multiple CSPs — the Caddy CSP (default-src 'none') was blocking self-hosted embeds and conflicting with the app's more permissive policy. Also fix bundle JS init timing for HTMX tab swaps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Max J. <87768334+MaxJMath@users.noreply.github.com> · 2026-05-10 19:29 UTC

Commit: 5e55eaa502ef76675913e7b4ccb09089d7bc70d0

Parent: 711a5b7

1 file changed, +1 insertion, -7 deletions

M server/deploy/Caddyfile +1 -7

			@@ -37,15 +37,9 @@ makenot.work {
37	37		# Reverse proxy to application (includes /docs routes)
38	38		reverse_proxy localhost:3000
39	39
40		-	# Security headers
	40	+	# Security headers (CSP is set by the app — do not duplicate here)
41	41		header {
42		-	X-Frame-Options "SAMEORIGIN"
43		-	X-Content-Type-Options "nosniff"
44		-	X-XSS-Protection "1; mode=block"
45	42		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
46		-	Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(self)"
47		-	Referrer-Policy "strict-origin-when-cross-origin"
48		-	Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' https://unpkg.com https://js.stripe.com; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data: https://fsn1.your-objectstorage.com https://cdn.makenot.work; connect-src 'self' https://api.stripe.com https://fsn1.your-objectstorage.com https://cdn.makenot.work; media-src 'self' https://fsn1.your-objectstorage.com https://cdn.makenot.work; frame-src https://js.stripe.com; base-uri 'self'; form-action 'self'"
49	43		}
50	44
51	45		# Static error pages when app is down