From 45091442212ae2f7c2ea06576b8c35e0442a2ca8 Mon Sep 17 00:00:00 2001
From: emrah <emrah.eryilmaz@conceptboard.com>
Date: Thu, 15 Jan 2026 19:34:19 +0300
Subject: [PATCH] feat(web): Add CSP header

---
 docker-compose.yml            | 1 +
 web/rootfs/defaults/meet.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index da647c9..1fd0061 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -32,6 +32,7 @@ services:
             - COLIBRI_WEBSOCKET_REGEX
             - CONFCODE_URL
             - CORS_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
+            - CSP_HEADER
             - DEFAULT_LANGUAGE
             - DEPLOYMENTINFO_ENVIRONMENT
             - DEPLOYMENTINFO_ENVIRONMENT_TYPE
diff --git a/web/rootfs/defaults/meet.conf b/web/rootfs/defaults/meet.conf
index a0cd384..e0400a1 100644
--- a/web/rootfs/defaults/meet.conf
+++ b/web/rootfs/defaults/meet.conf
@@ -28,6 +28,9 @@ error_page 404 /static/404.html;
 # Security headers
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
+{{ if .Env.CSP_HEADER }}
+add_header Content-Security-Policy "{{ .Env.CSP_HEADER }}" always;
+{{ end }}
 
 set $prefix "";