- Remove 'unsafe-inline' from script-src CSP directive - Restrict connectSrc and imgSrc to known external domains - Move Google API key from URL query parameter to X-Goog-Api-Key header - Sanitize error logging in production (no stack traces) - Log file link errors instead of silently swallowing them https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8 |
||
|---|---|---|
| .. | ||
| src | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||