-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathsvelte.config.js
More file actions
48 lines (46 loc) · 1.38 KB
/
svelte.config.js
File metadata and controls
48 lines (46 loc) · 1.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import adapter from '@sveltejs/adapter-node';
import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
/** @type {import('@sveltejs/kit').Config} */
const config = {
preprocess: vitePreprocess(),
kit: {
adapter: adapter(),
alias: {
$lib: 'src/lib',
},
csrf: {
// Allow localhost variants — custom CSRF origin check in hooks.server.ts
// handles production; this fixes 127.0.0.1 vs localhost mismatches in dev.
trustedOrigins: ['http://localhost:*', 'http://127.0.0.1:*'],
},
// Full CSP with per-request nonces for inline scripts/styles.
// All directives consolidated here so only one CSP header is emitted
// (multiple headers enforce the intersection, which can break nonces).
csp: {
mode: 'auto',
directives: {
'default-src': ['self'],
'script-src': ['self'],
'style-src': ['self', 'unsafe-inline'],
'connect-src': [
'self',
'ws:',
'wss:',
'https://*.push.services.mozilla.com',
'https://*.push.apple.com',
'https://fcm.googleapis.com',
'https://*.notify.windows.com',
],
'worker-src': ['self', 'blob:'],
'img-src': ['self', 'data:', 'blob:', 'https://avatars.githubusercontent.com'],
'font-src': ['self'],
'frame-ancestors': ['none'],
'form-action': ['self'],
'base-uri': ['self'],
'manifest-src': ['self'],
'object-src': ['none'],
},
},
},
};
export default config;