bert.hausmans
b5fcb7c14a
Vuexy loads fonts via webfontloader from fonts.googleapis.com and fonts.gstatic.com. The previous CSP blocked these, causing a white screen. - style-src: added https://fonts.googleapis.com - font-src: added https://fonts.gstatic.com - Removed frame-ancestors from meta tags (ignored in meta, console warnings) Updated in all three index.html dev meta tags and both Nginx SPA/portal configs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Crewli Deployment — Security Configuration
Nginx Security Headers
Copy the configuration snippets to your Nginx server:
API (api.crewli.app)
server {
server_name api.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-api.conf;
# ... rest of config
}
Organizer App (app.crewli.app)
server {
server_name app.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-spa.conf;
# ... rest of config
}
Admin (admin.crewli.app)
server {
server_name admin.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-spa.conf;
# ... rest of config
}
Portal (portal.crewli.app)
server {
server_name portal.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-portal.conf;
# ... rest of config
}
CSP Rollout Process
- Start with
Content-Security-Policy-Report-Only(uncomment incsp-spa.conf) - Monitor browser console for CSP violations for 1-2 weeks
- Add any missing sources to the policy
- Switch to enforcing
Content-Security-Policy - Monitor for false positives after enforcement
DirectAdmin Integration
If using DirectAdmin with Nginx:
- Place the
.conffiles in/usr/local/directadmin/data/users/USERNAME/nginx.confor use DirectAdmin's custom Nginx configuration feature - Reload Nginx:
service nginx reload - Verify headers:
curl -I https://app.crewli.app | grep -i security