Files

poduck 2e111364a2 Initial commit: SmoothSchedule multi-tenant scheduling platform

This commit includes:
- Django backend with multi-tenancy (django-tenants)
- React + TypeScript frontend with Vite
- Platform administration API with role-based access control
- Authentication system with token-based auth
- Quick login dev tools for testing different user roles
- CORS and CSRF configuration for local development
- Docker development environment setup

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-27 01:43:20 -05:00

1.2 KiB

Raw Blame History

Content Security Policy for Production

During development, CSP is disabled in index.html to avoid conflicts with browser extensions.

For production, configure CSP via server headers (nginx/CloudFlare):

# nginx configuration
add_header Content-Security-Policy "
  default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://connect-js.stripe.com blob:;
  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
  font-src 'self' https://fonts.gstatic.com;
  img-src 'self' data: https:;
  connect-src 'self' https://api.stripe.com https://connect-js.stripe.com https://yourdomain.com;
  frame-src 'self' https://js.stripe.com https://connect-js.stripe.com;
" always;

Why not in HTML meta tag?

Browser extensions interfere: Extensions inject their own CSP rules causing false errors
Dynamic configuration: Production domains differ from development (lvh.me vs yourdomain.com)
Better control: Server headers can vary by environment without changing source code
Standard practice: Industry best practice is CSP via headers, not meta tags

Testing CSP

Test your production CSP at: https://csp-evaluator.withgoogle.com/

1.2 KiB Raw Blame History

Content Security Policy for Production

Why not in HTML meta tag?

Testing CSP

1.2 KiB

Raw Blame History