caddy/snippets/security/csp.snippet

# caddy/snippets/security/csp.snippet
# Conservative CSP suitable for internal dashboards (grafana, gitea,
# portainer). Apps that need inline scripts (jellyfin) should override
# with their own header block.

header Content-Security-Policy "default-src 'self'; \
    img-src 'self' data: blob:; \
    style-src 'self' 'unsafe-inline'; \
    script-src 'self'; \
    connect-src 'self' https://*.home.arpa; \
    frame-ancestors 'none'; \
    base-uri 'self'"