From b4ade5b40c4f91901a86ac9af11f1140e14e2355 Mon Sep 17 00:00:00 2001
From: sabdosh <sihhamm.1805@hotmail.com>
Date: Tue, 5 May 2026 21:58:21 +1000
Subject: [PATCH 1/2] Implement global security headers and CSP

---
 config/application.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/config/application.rb b/config/application.rb
index 2b54558e56..759899af59 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -18,6 +18,13 @@ module Doubtfire
   class Application < Rails::Application
     config.load_defaults 7.0
 
+    config.action_dispatch.default_headers.merge!({
+    'X-Frame-Options' => 'DENY',
+    'X-Content-Type-Options' => 'nosniff',
+    'Referrer-Policy' => 'no-referrer',
+    'Permissions-Policy' => 'geolocation=(), camera=(), microphone=()',
+    'Content-Security-Policy' => "default-src 'self';"})
+
     # Remove Action Mailbox and Active Storage routes - not used
     initializer(:remove_action_mailbox_and_activestorage_routes, after: :add_routing_paths) do |app|
       app.routes_reloader.paths.delete_if { |path| path =~ /activestorage/ }

From a8d795e555611210627622fa84c759c271abd736 Mon Sep 17 00:00:00 2001
From: 224599437 <s224599437@deakin.edu.au>
Date: Thu, 14 May 2026 13:06:58 +1000
Subject: [PATCH 2/2] Update application.rb with couple of Content-security
 headers

Update application.rb with couple of Content-security headers so that the rail server executes and shows the localhost:3000/api/docs page
---
 config/application.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index 759899af59..5cc2b55610 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -23,8 +23,7 @@ class Application < Rails::Application
     'X-Content-Type-Options' => 'nosniff',
     'Referrer-Policy' => 'no-referrer',
     'Permissions-Policy' => 'geolocation=(), camera=(), microphone=()',
-    'Content-Security-Policy' => "default-src 'self';"})
-
+    'Content-Security-Policy' => "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' http://fonts.googleapis.com https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;"})
     # Remove Action Mailbox and Active Storage routes - not used
     initializer(:remove_action_mailbox_and_activestorage_routes, after: :add_routing_paths) do |app|
       app.routes_reloader.paths.delete_if { |path| path =~ /activestorage/ }