From 95cd788bc91b9fcbf152223e2204c82d7490831f Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Tue, 10 Mar 2026 05:25:57 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20CSP=20defaults=20for=20Livewire=20?=
 =?UTF-8?q?=E2=80=94=20disable=20nonces,=20allow=20unsafe-inline?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Livewire and Alpine inject inline scripts/styles at runtime without
nonce attributes. Nonce-based CSP breaks all Livewire apps out of the
box. Change defaults:
- nonce_enabled: false (opt-in via SECURITY_CSP_NONCE_ENABLED=true)
- production env: add 'unsafe-inline' for script-src and style-src
- Add host_analytics external source (SECURITY_CSP_HOST_ANALYTICS)

Co-Authored-By: Virgil <virgil@lethean.io>
---
 src/Core/Headers/config.php | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/Core/Headers/config.php b/src/Core/Headers/config.php
index 0b05b69..40f70e5 100644
--- a/src/Core/Headers/config.php
+++ b/src/Core/Headers/config.php
@@ -50,8 +50,8 @@ return [
     | CSP controls which resources can be loaded. Configure directives below.
     | Set 'enabled' to false to disable CSP entirely.
     |
-    | IMPORTANT: Avoid 'unsafe-inline' and 'unsafe-eval' in production.
-    | Use nonces or hashes for inline scripts/styles instead.
+    | Livewire and Alpine require 'unsafe-inline' for runtime-injected
+    | content. Nonce-based CSP is available but opt-in via env var.
     |
     */
 
@@ -79,8 +79,10 @@ return [
         |
         */
 
-        // Enable nonce-based CSP (recommended for production)
-        'nonce_enabled' => env('SECURITY_CSP_NONCE_ENABLED', true),
+        // Enable nonce-based CSP. Disabled by default because Livewire and
+        // Alpine inject inline scripts/styles that cannot carry nonces.
+        // Enable only if your app does not use Livewire.
+        'nonce_enabled' => env('SECURITY_CSP_NONCE_ENABLED', false),
 
         // Nonce length in bytes (16 = 128 bits, recommended minimum)
         'nonce_length' => env('SECURITY_CSP_NONCE_LENGTH', 16),
@@ -167,8 +169,12 @@ return [
                 'style-src' => ["'unsafe-inline'"],
             ],
             'production' => [
-                // Production should be strict - no unsafe-inline
-                // Add nonce support or specific hashes as needed
+                // Livewire and Alpine require unsafe-inline for their
+                // runtime-injected scripts and styles. Enable nonces
+                // (SECURITY_CSP_NONCE_ENABLED=true) only if all inline
+                // content carries the nonce attribute.
+                'script-src' => ["'unsafe-inline'"],
+                'style-src' => ["'unsafe-inline'"],
             ],
         ],
 
@@ -208,6 +214,13 @@ return [
                 'script-src' => ['https://connect.facebook.net'],
                 'frame-src' => ['https://www.facebook.com'],
             ],
+
+            'host_analytics' => [
+                'enabled' => env('SECURITY_CSP_HOST_ANALYTICS', false),
+                'script-src' => ['https://analytics.host.uk.com'],
+                'connect-src' => ['https://analytics.host.uk.com'],
+                'img-src' => ['https://analytics.host.uk.com'],
+            ],
         ],
     ],