fix: revert custom CSP - Helmet defaults are correct

Inline script was already extracted to swagger-init.js (BUG-004/005). Helmet defaults allow style-src unsafe-inline and font-src https, so Google Fonts and inline styles work without custom directives.
2026-02-14 22:31:18 +00:00 · 2026-02-14 22:31:18 +00:00 · 922230c108
commit 922230c108
parent 6aa1fa4d84
1 changed files with 1 additions and 12 deletions
--- a/src/index.ts
+++ b/src/index.ts
@ -23,18 +23,7 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
 // Load API keys from persistent store
 loadKeys();

-app.use(helmet({
-  crossOriginResourcePolicy: { policy: "cross-origin" },
-  contentSecurityPolicy: {
-    directives: {
-      defaultSrc: ["'self'"],
-      scriptSrc: ["'self'", "'unsafe-inline'"],
-      styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
-      imgSrc: ["'self'", "data:"],
-      fontSrc: ["'self'", "https://fonts.gstatic.com"],
-    }
-  }
-}));
+app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } }));

 // Differentiated CORS middleware
 app.use((req, res, next) => {