fix: allow localhost in CSP connect-src during development

Dev env vars (_CLIENT suffixed) are empty, so localhost:3001 (auth), localhost:3050 (sync), localhost:3060 (api) were blocked by CSP. Added http://localhost:* and ws://localhost:* to connect-src when NODE_ENV !== 'production'. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-15 06:41:08 +02:00 · 2026-04-03 12:37:13 +02:00 · 2026-04-03 12:37:13 +02:00 · f0d5ba2128
commit f0d5ba2128
parent d368bd34b5
1 changed files with 3 additions and 0 deletions
--- a/apps/manacore/apps/web/src/hooks.server.ts
+++ b/apps/manacore/apps/web/src/hooks.server.ts
@ -112,6 +112,7 @@ window.__PUBLIC_GLITCHTIP_DSN__ = ${JSON.stringify(PUBLIC_GLITCHTIP_DSN)};
 		},
 	});

+	const isDev = process.env.NODE_ENV !== 'production';
 	setSecurityHeaders(response, {
 		connectSrc: [
 			PUBLIC_MANA_CORE_AUTH_URL_CLIENT,
@ -130,6 +131,8 @@ window.__PUBLIC_GLITCHTIP_DSN__ = ${JSON.stringify(PUBLIC_GLITCHTIP_DSN)};
 			PUBLIC_MANA_MEDIA_URL_CLIENT,
 			PUBLIC_MANA_LLM_URL_CLIENT,
 			'wss://sync.mana.how',
+			// Allow all localhost ports in development
+			...(isDev ? ['http://localhost:*', 'ws://localhost:*'] : []),
 		].filter(Boolean),
 	});