4 min read
Strict CSP on Static Hosting: Lessons from Azure SWA
Shipping script-src 'self' on Azure Static Web Apps: why per-request nonces are off the table, the Trusted Types / Pagefind trade-off, and pinning every header in staticwebapp.config.json.