[Feat]: Implement Content Security Policy (CSP) to Enhance Application Security

What feature?

The application currently lacks a Content Security Policy (CSP), which increases the risk of cross-site scripting (XSS) and other injection attacks. Implementing a CSP is essential to enhance the security of the application.

Describe the solution you'd like

I propose implementing a CSP with the following directives to mitigate potential security risks:

default-src 'none';: Disallows all content by default, enforcing that only explicitly allowed sources can be used.
script-src 'self' 'unsafe-inline';: Allows scripts to be loaded only from the same origin and inline scripts.
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;: Permits styles from the same origin, inline styles, and Google Fonts.
font-src 'self' https://fonts.gstatic.com;: Restricts font loading to the same origin and Google Fonts.
img-src 'self' https://github.com https://avatars.githubusercontent.com https://pbs.twimg.com;: Allows images from the same origin, GitHub, and Twitter.
manifest-src 'self';: Restricts the web app manifest to the same origin.
connect-src 'self';: Limits network connections (e.g., AJAX calls) to the same origin.
base-uri 'self';: Ensures that the base URL is restricted to the same origin.
form-action 'self';: Restricts form submissions to the same origin.

Describe alternatives you've considered

Without a CSP, the application remains vulnerable to various injection attacks. The alternative would be to rely solely on input validation and sanitization techniques, but these measures alone are not sufficient to fully protect against XSS and similar threats.

Additional context

Implementing a CSP is a crucial step in improving the application’s security posture. By specifying the sources from which content can be loaded, we can significantly reduce the attack surface available to potential attackers.

Add screenshots

CSP

Code of Conduct

[X] I agree to follow this project's Code of Conduct

shyamtawli / devFind