CSP for Mastodon and Self-Hosted Platforms
Running Mastodon or any self-hosted platform means you inherit the fun parts of security too. CSP is one of those controls that looks simple until your admin UI breaks, media stops loading, and WebSockets quietly die in production. I’ve seen this happen a lot with self-hosted stacks: someone pastes a “secure CSP” from a random blog post, then spends the next two hours figuring out why avatars, custom themes, analytics, embeds, or ActionCable stopped working. ...