# CSP for app.crewli.app and admin.crewli.app
# Vite bundles all JS/CSS into same-origin files.
# 'unsafe-inline' for style-src is required by Vuetify (inline styles for theming).
# img-src https: allows organisation logos loaded from external URLs.
# connect-src must include the API domain for XHR/fetch calls.
#
# IMPORTANT: Start with Content-Security-Policy-Report-Only to catch
# false positives. Switch to Content-Security-Policy after 1-2 weeks
# of clean logs.

# Report-only mode (start with this):
# add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;

# Enforce mode (switch to this after testing):
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://api.crewli.app; frame-ancestors 'none'; form-action 'self'; base-uri 'self'" always;