CSP for Remix: Common Mistakes and Fixes
Remix is a nice fit for a strict Content Security Policy because it already gives you a clean server-rendered document boundary. But I keep seeing Remix apps ship with a CSP that looks strict on paper and falls apart the second analytics, hydration, or a UI library enters the room. The usual pattern is familiar: start with default-src 'self' app breaks add 'unsafe-inline' app still breaks add a few domains stop checking reports That’s not a CSP. That’s a list of regrets. ...