- [ ] `img-src` includes CDN (jsdelivr), which could be hashed easily - [ ] `script-src` includes `unsafe-inline` - [ ] `style-src` includes `unsafe-inline` - The style is probably only coming from /apks, which could be fixed easily by adding a hash to the CSS in the directory index page. - Scripts are loaded in several places: - Prometheus (setting global values). - Alertmanager (loading the app). - Homepage (JSON data).
img-srcincludes CDN (jsdelivr), which could be hashed easilyscript-srcincludesunsafe-inlinestyle-srcincludesunsafe-inlineThe style is probably only coming from /apks, which could be fixed easily by adding a hash to the CSS in the directory index page.
Scripts are loaded in several places: