CSP for Vite and modern build tools
Modern frontend tooling makes CSP both easier and more annoying. Easier, because production bundles are usually external files with stable paths and hashes. Annoying, because dev servers inject scripts, HMR opens WebSockets, CSS often lands inline during development, and plugins sneak in behavior you did not account for. If you run Vite, Rollup, webpack, Parcel, or esbuild-based stacks, the trick is simple: treat development CSP and production CSP as separate policies. Trying to force one policy to fit both is how teams end up shipping 'unsafe-inline' everywhere. ...