From 9de5b5aabbfcc3e343442a3aac7d9307794454bc Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 24 Mar 2026 09:26:46 +0000
Subject: [PATCH] security: enable CSRF, HSTS, and CSP in shield config

- Enable CSRF protection with XSRF cookie for Inertia.js/React SPA
- Enable HSTS with 180-day max-age and includeSubDomains
- Enable CSP with nonce-based script policy, unsafe-inline for Tailwind
  styles, and restrictive defaults for frames/objects
- Allow map tile sources in img-src for offline map support

https://claude.ai/code/session_01JFvpTYgm8GiE4vJ4cJKsFx
---
 admin/config/shield.ts | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/admin/config/shield.ts b/admin/config/shield.ts
index 5d981fd..4c89fe9 100644
--- a/admin/config/shield.ts
+++ b/admin/config/shield.ts
@@ -6,8 +6,19 @@ const shieldConfig = defineConfig({
    * to learn more
    */
   csp: {
-    enabled: false,
-    directives: {},
+    enabled: true,
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", '@nonce'],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'blob:', 'https://*.tile.openstreetmap.org'],
+      fontSrc: ["'self'"],
+      connectSrc: ["'self'"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      baseUri: ["'self'"],
+      formAction: ["'self'"],
+    },
     reportOnly: false,
   },
 
@@ -16,7 +27,7 @@ const shieldConfig = defineConfig({
    * to learn more
    */
   csrf: {
-    enabled: false, // TODO: Enable CSRF protection
+    enabled: true,
     exceptRoutes: [],
     enableXsrfCookie: true,
     methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
@@ -35,8 +46,9 @@ const shieldConfig = defineConfig({
    * Force browser to always use HTTPS
    */
   hsts: {
-    enabled: false, // TODO: Enable HSTS in production
+    enabled: true,
     maxAge: '180 days',
+    includeSubDomains: true,
   },
 
   /**