Content Security Policy

LaunchFast uses a strict Content Security Policy to control which resources can load in the browser. The CSP is configured using Helmet in server/index.ts.

Report-only mode

By default, the CSP is set to report-only mode. This means the browser reports violations without blocking resources. This prevents unexpected breakage for new users.

Enabling enforcement

To enforce the CSP, remove the reportOnly: true option in server/index.ts. After enabling enforcement, monitor your application for any blocked resources and add them to the allowed list.

Allowing additional resources

If your application loads resources from external domains (fonts, scripts, images), add those domains to the appropriate CSP directives in the Helmet configuration.

XSS protection

React escapes all values by default, providing built-in XSS protection. Never pass user-generated content to React's raw HTML rendering prop.

CSRF protection

LaunchFast uses the remix-utils CSRF utilities to prevent cross-site request forgery attacks. This is built into forms automatically.

Troubleshooting

If a resource is blocked by the CSP after enabling enforcement:

1. Check the browser console for CSP violation reports — they include the blocked URI and the directive that blocked it
2. Add the resource's domain to the appropriate directive in the Helmet CSP configuration
3. Redeploy and verify the resource loads correctly