From b3373d6d85806a95e6fc8f3020583f3fae5df99f Mon Sep 17 00:00:00 2001 From: Deep Koluguri Date: Mon, 22 Jun 2026 19:47:00 -0400 Subject: [PATCH] fix: explicitly allow wss in CSP connectSrc --- backend/src/middleware/security.js | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/src/middleware/security.js b/backend/src/middleware/security.js index 2a5b17d..8aaf010 100644 --- a/backend/src/middleware/security.js +++ b/backend/src/middleware/security.js @@ -10,6 +10,7 @@ export const setupSecurity = (app) => { defaultSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], scriptSrc: ["'self'", "https://static.cloudflareinsights.com", "'unsafe-inline'"], + connectSrc: ["'self'", "ws:", "wss:", "http:", "https:"], imgSrc: ["'self'", 'data:', 'https:'], }, },