We’ve hardened the Content Security Policy on every route. Now, instead of allowing any inline <script> to execute, the browser only runs scripts that carry a per-request cryptographic nonce stamped by our edge proxy. Anything injected by an attacker — through a comment, a form field, or a third-party widget — has no nonce, so the browser refuses to run it.
Alongside the nonce we tightened the rest of the security header set:
- HSTS preload — browsers refuse to talk to us over plain HTTP.
- X-Frame-Options DENY — no one can embed your dashboard in an iframe.
- Permissions-Policy — camera, microphone, and geolocation are off by default.
- Referrer-Policy: strict-origin-when-cross-origin — outbound links don’t leak your URL.
You don’t need to do anything. The change applies to every page on every device, and we’ve verified it doesn’t break any of our own features. Scan reports are posted to our internal CSP-report endpoint so we catch regressions before you do.