Summary
This PR introduces CSP controls for image and CSS sources.
In line with the issue intent, the defaults are kept relatively permissive to prevent breaking changes on existing instances, while still providing clear options to tighten policies where needed.
Changes
- Added
img-src and style-src directives to CSP handling.
- Added environment/config options:
ALLOWED_IMAGE_SOURCES
ALLOWED_CSS_SOURCES
- Kept permissive defaults when these options are not set, to reduce rollout risk.
- Added tests in
SecurityHeaderTest for:
- default behavior
- custom override behavior
- Added documentation:
.env.example.complete entries and examples
- development docs section describing controls and hardening guidance
- README pointer to the CSP docs section
Why this approach
The implementation is intentionally conservative by default, especially compared to JS/iframe controls, so instances do not unexpectedly break after upgrade. At the same time, admins can now explicitly restrict allowed sources as part of their hardening process.
Testing
docker compose run --rm app php artisan test tests/SecurityHeaderTest.php --filter="style src|img src|csp"
Closes #6033.
## Summary
This PR introduces CSP controls for image and CSS sources.
In line with the issue intent, the defaults are kept relatively permissive to prevent breaking changes on existing instances, while still providing clear options to tighten policies where needed.
## Changes
- Added `img-src` and `style-src` directives to CSP handling.
- Added environment/config options:
- `ALLOWED_IMAGE_SOURCES`
- `ALLOWED_CSS_SOURCES`
- Kept permissive defaults when these options are not set, to reduce rollout risk.
- Added tests in `SecurityHeaderTest` for:
- default behavior
- custom override behavior
- Added documentation:
- `.env.example.complete` entries and examples
- development docs section describing controls and hardening guidance
- README pointer to the CSP docs section
## Why this approach
The implementation is intentionally conservative by default, especially compared to JS/iframe controls, so instances do not unexpectedly break after upgrade. At the same time, admins can now explicitly restrict allowed sources as part of their hardening process.
## Testing
- `docker compose run --rm app php artisan test tests/SecurityHeaderTest.php --filter="style src|img src|csp"`
Closes #6033.