From 11a170eb035674c6f35913ef48dc85a3f0d7fc77 Mon Sep 17 00:00:00 2001
From: Alexandre Bodin <bodin.alex@gmail.com>
Date: Tue, 26 Oct 2021 16:14:39 +0200
Subject: [PATCH] Strict CSP config

---
 packages/core/strapi/lib/middlewares/security.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/core/strapi/lib/middlewares/security.js b/packages/core/strapi/lib/middlewares/security.js
index 4e5d396b48..0ac880cec6 100644
--- a/packages/core/strapi/lib/middlewares/security.js
+++ b/packages/core/strapi/lib/middlewares/security.js
@@ -8,7 +8,12 @@ const defaults = {
   crossOriginOpenerPolicy: false,
   crossOriginResourcePolicy: false,
   originAgentCluster: false,
-  contentSecurityPolicy: false,
+  contentSecurityPolicy: {
+    useDefaults: true,
+    directives: {
+      'connect-src': ["'self'", 'https:'],
+    },
+  },
   xssFilter: false,
   hsts: {
     maxAge: 31536000,