Flip CSP from report-only to enforce-mode after observation period #184

New Issue

Open

opened 2026-05-14 17:33:08 +00:00 by chihlasm · 0 comments

chihlasm commented 2026-05-14 17:33:08 +00:00

Owner

Copy Link

CSP is currently in report-only mode. After a 2–3 week quiet observation period in PostHog, flip to enforce-mode.

Plan

1. Observe CSP violation reports in PostHog for 2–3 weeks of normal traffic
2. Whitelist legitimate sources (analytics, fonts, images, embedded media, etc.)
3. Re-verify reports are quiet for at least one full week
4. Flip Content-Security-Policy-Report-Only → Content-Security-Policy
5. Keep the report endpoint live to catch regressions

Acceptance

• Zero unexpected CSP violations during the final pre-flip observation week
• Enforce-mode shipped with a documented rollback (revert to report-only header)
• Dashboard / saved query in PostHog for post-flip violation monitoring

CSP is currently in report-only mode. After a 2–3 week quiet observation period in PostHog, flip to enforce-mode. ## Plan 1. Observe CSP violation reports in PostHog for 2–3 weeks of normal traffic 2. Whitelist legitimate sources (analytics, fonts, images, embedded media, etc.) 3. Re-verify reports are quiet for at least one full week 4. Flip `Content-Security-Policy-Report-Only` → `Content-Security-Policy` 5. Keep the report endpoint live to catch regressions ## Acceptance - Zero unexpected CSP violations during the final pre-flip observation week - Enforce-mode shipped with a documented rollback (revert to report-only header) - Dashboard / saved query in PostHog for post-flip violation monitoring

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/production-hardening

feat/l1-ai-tree-builder-phase-2a

docs/phase-2a-plus-taxonomy

feat/billing-plan-taxonomy

feat/self-serve-signup-phase-2

fix/seed-test-users-verified

fix/e2e-test-selectors

fix/ci-pytest-xdist

feat/admin-panel-rework-prod

feat/network-map-builder-prod

docs/update-changelog

feat/cockpit-harness

pre-ai-handoff

Labels

Clear labels

10x-analysis

From 10x product analysis

backend

FastAPI/Python work

bug

Something isn't working

collaboration

Team sharing, escalation, notifications

database

PostgreSQL/schema changes

documentation

Documentation updates

duplicate

This issue or pull request already exists

enhancement

Improvement to existing feature

feature

New functionality

frontend

React work

good first issue

Good for newcomers

help wanted

Extra attention is needed

integration

PSA, external service integrations

intelligence

Analytics, AI, data-driven features

invalid

This doesn't seem right

priority: high

Do this soon

priority: low

Nice to have

priority: medium

Important but not urgent

question

Further information is requested

quick-win

Low effort, high value

strategic

Long-term strategic bet

ux

User experience improvements

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

chihlasm

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: chihlasm/resolutionflow#184