From 7f88fc6b0fb846c8d719eb5ef8ee66190ff4aac4 Mon Sep 17 00:00:00 2001
From: Fedorov Vladimir <vladimir.fodorow@gmail.com>
Date: Sat, 16 May 2026 15:23:17 +0700
Subject: [PATCH] fix

---
 cmd/evening_detective/main.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/cmd/evening_detective/main.go b/cmd/evening_detective/main.go
index c5ca0d4..0feba4d 100644
--- a/cmd/evening_detective/main.go
+++ b/cmd/evening_detective/main.go
@@ -125,7 +125,7 @@ func main() {
 	// Server gRPC-Gateway
 	gwServer := &http.Server{
 		Addr:    config.GrpcGatewayPort,
-		Handler: cors(gwmux),
+		Handler: csp(cors(gwmux)),
 	}
 	log.Printf("Serving %s for gRPC-Gateway\n", grpcGatewayHost)
 	go func() {
@@ -172,7 +172,6 @@ func cors(h http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE")
 		w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, Authorization, ResponseType, X-Id, X-Password")
-		w.Header().Set("Content-Security-Policy", "connect-src 'self' evening-detective.crabs-games.art evening-detective-admin.crabs-games.art;")
 		if r.Method == "OPTIONS" {
 			return
 		}
@@ -180,6 +179,20 @@ func cors(h http.Handler) http.Handler {
 	})
 }
 
+func csp(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(
+			"Content-Security-Policy",
+			"default-src 'self'; "+
+				"connect-src 'self' https://evening-detective-api.crabs-games.art; "+
+				"script-src 'self'; "+
+				"style-src 'self'; "+
+				"img-src 'self' data:;",
+		)
+		h.ServeHTTP(w, r)
+	})
+}
+
 func loggingMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		start := time.Now()
@@ -190,4 +203,3 @@ func loggingMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
-