CSP for Supabase Auth Without Breaking Login
Supabase Auth is one of those tools that feels simple right up until you add a strict Content Security Policy. Then login starts failing in weird ways: OAuth popups stop working, token refresh breaks, realtime disconnects, and you end up loosening your policy until it barely counts as CSP. I’ve done that mistake before. The fix is not to throw https: everywhere and hope for the best. The fix is to understand exactly what Supabase Auth needs, then allow only that. ...