Rails.application.config.session_store(
:cookie_store,
key: '_codesnips_session',
secure: Rails.env.production?,
httponly: true,
same_site: :lax,
class CspReportsController < ActionController::API
def create
Rails.logger.warn({
event: 'csp_report',
report: params.to_unsafe_h,
ip: request.remote_ip,
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'https://app.example.com', 'https://admin.example.com'
resource '/api/*',
headers: %w[Authorization Content-Type],
methods: %i[get post patch delete options],
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://api.example.com; frame-ancestors 'none'; base-uri 'self'; object-src 'none'" always;