Description:

Currently, Document360 KB sites inject the Content Security Policy (CSP) using a <meta> tag in the HTML <head>. This approach:

Is not detected by automated security scanning tools (which check HTTP response headers).

Lacks support for certain directives (frame-ancestors, sandbox).

Is less effective against some XSS scenarios compared to HTTP header–based enforcement.

Additionally, the X-Content-Type-Options: nosniff header is missing, leading to security scan failures. This header is not implemented due to MIME type concerns when customers upload files without proper content types.

Requested Scope:

Implement CSP as an HTTP response header with safe default directives.

Add X-Content-Type-Options: nosniff header (with file content type validation).

Include CSP directives requested by customers:

form-action — restrict form submission destinations.

default-src — define fallback sources for all resource types.

report-uri / report-to — log CSP violations without enforcement.

Review script-src, style-src, frame-src, and worker-src for potential removal of unsafe-inline and unsafe-eval.

Benefits:

Passes industry-standard compliance scans (e.g., securityheaders.com).

Meets customer security requirements without backend intervention.