Rails.application.config.content_security_policy do |policy|
policy.default_src :self
policy.script_src :self
policy.style_src :self
policy.img_src :self, :data
policy.connect_src :self
policy.frame_ancestors :none
end
Rails.application.config.content_security_policy_report_only = true
CSP is a strong defense-in-depth measure for XSS. Start with report-only to learn what breaks, then enforce. Keep it explicit and include nonces for inline scripts when needed.
