fix: SPA deep-link assets and broken home screen CSS

Three root causes addressed: 1. Added <base href="/"> to index.html so all relative asset paths (css/app.css, js/*.js) resolve from the root regardless of the current SPA route. Without this, /instance/117 requested /instance/css/app.css, which hit the SPA fallback and returned HTML; helmet's nosniff then refused it as a stylesheet. 2. Removed upgrade-insecure-requests from the CSP (useDefaults: false). This directive told browsers to upgrade HTTP→HTTPS for every asset request, breaking all resource loading on HTTP-only deployments. 3. Changed script-src-attr from 'none' to 'unsafe-inline' to allow the inline onclick handlers used throughout the UI. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 09:52:48 -04:00
parent 79adc365d8
commit 01f83d25f6
3 changed files with 52 additions and 3 deletions
--- a/server/server.js
+++ b/server/server.js
@@ -11,10 +11,18 @@ export const app = express();

 app.use(helmet({
  contentSecurityPolicy: {
+    useDefaults: false, // explicit — upgrade-insecure-requests breaks HTTP deployments
    directives: {
-      ...helmet.contentSecurityPolicy.getDefaultDirectives(),
-      'style-src':  ["'self'", 'https://fonts.googleapis.com'],
-      'font-src':   ["'self'", 'https://fonts.gstatic.com'],
+      'default-src':     ["'self'"],
+      'base-uri':        ["'self'"],
+      'font-src':        ["'self'", 'https://fonts.gstatic.com'],
+      'form-action':     ["'self'"],
+      'frame-ancestors': ["'self'"],
+      'img-src':         ["'self'", 'data:'],
+      'object-src':      ["'none'"],
+      'script-src':      ["'self'"],
+      'script-src-attr': ["'unsafe-inline'"], // allow onclick handlers
+      'style-src':       ["'self'", 'https://fonts.googleapis.com'],
    },
  },
 }));