Test validation for environmental Content-Security-Policy headers

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

In a recent production incident, we had various aspects contributing to the confusion on our Content-Security-Policy (CSP) headers and what they should be compared to what they are:

• CSP headers in cny did not match prod
• New CSP headers were being tested in staging and therefore the production incident could not be reproduced there and the solution could not be tested there
• Because the endpoints were failing in production, we could only output the CSP header data locally which might not have matched production either

How are headers set?

• (Development) CSP headers can be configured in the application and might be different based on usage of the API or UI.
• (Reliability) HAProxy and CloudFlare can also set and remove some headers