Recipe

Recipe: CSP (content-security-policy) builder

Generate a hardened Content-Security-Policy header for your Meridian-protected application.

Overview

A strict CSP prevents XSS, clickjacking, and data exfiltration. This recipe produces a policy tuned for Meridian's loader injection model — allowing only signed origins and blocking all inline execution.

Base policy

default-src 'none';
script-src 'self' https://cdn.getnimbus.net;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://api.getnimbus.net;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
upgrade-insecure-requests;

Directive breakdown

default-src 'none'

Deny everything by default — fail-closed posture.

script-src 'self'

Only scripts from your origin and the Meridian CDN.

style-src 'unsafe-inline'

Permit inline styles for Tailwind; no external stylesheets.

connect-src 'self'

Restrict fetch/XHR to your API and Meridian licensing endpoints.

frame-ancestors 'none'

Block all framing — prevents clickjacking entirely.

base-uri 'self'

Prevent base-tag injection attacks.

Testing

Deploy with Content-Security-Policy-Report-Only first. Monitor violation reports for 48 hours before enforcing. Use the Meridian dashboard to verify no loader integrity checks trigger on CSP-induced block events.

📋

Next step

Combine with the SRI integrity recipe for full subresource protection.