fix: add unsafe-inline back to style-src CSP

style-src without unsafe-inline blocks all inline style= attributes, breaking logo sizing, section layouts, and any element with inline CSS. script-src retains nonces for actual XSS protection — style-src unsafe-inline is safe and necessary for the sites inline styling patterns.
2026-03-22 19:26:22 +00:00
parent 5d490ac91e
commit 683b701655
1 changed files with 1 additions and 1 deletions
--- a/index.php
+++ b/index.php
@@ -13,7 +13,7 @@ if (!isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 }
 header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
-header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}' https://cdnjs.cloudflare.com https://www.googletagmanager.com https://www.google-analytics.com https://www.clarity.ms https://www.google.com https://www.gstatic.com; style-src 'self' 'nonce-{$nonce}' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://region1.google-analytics.com https://www.google.com; frame-src https://www.google.com;");
+header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}' https://cdnjs.cloudflare.com https://www.googletagmanager.com https://www.google-analytics.com https://www.clarity.ms https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://region1.google-analytics.com https://www.google.com; frame-src https://www.google.com;");
 // SEO and performance optimizations
 $page_title = "AI Automation for Legal Firms UK | Cut Research Time 80%";