<?php

declare(strict_types=1);

return [

    /*
    |--------------------------------------------------------------------------
    | Content Security Policy
    |--------------------------------------------------------------------------
    |
    | CSP header value. Set to null to disable. Use report-only mode first
    | to identify violations before enforcing.
    |
    | For the API: restrictive policy (no scripts, no styles needed).
    | For SPAs: CSP is configured at the web server (Nginx) level because
    | Vite-generated script hashes change per build.
    |
    */

    'csp' => env('CSP_POLICY', "default-src 'none'; frame-ancestors 'none'"),

    /*
    |--------------------------------------------------------------------------
    | CSP Report Only
    |--------------------------------------------------------------------------
    |
    | When true, sends Content-Security-Policy-Report-Only instead of
    | Content-Security-Policy. Violations are logged but not blocked.
    | Use this for initial rollout to catch false positives.
    |
    */

    'csp_report_only' => env('CSP_REPORT_ONLY', false),

];