Hey there,
i want to increase the Security of the Public Access to my Home Assistant and for this i would implement a Content Security Policy. But everytime I embed this, Safari, Edge and sometimes Firefox shows me, that Home Assistant wouldn`t work. With Chrome it works perfectly. Is anybody there with a working Configuration?
Thanks!
Here’s a CSP that works for the latest 2025.4 of this writing:
Content-Security-Policy "report-to csp-endpoint; upgrade-insecure-requests; default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; img-src 'self' data: brands.home-assistant.io github.com raw.githubusercontent.com basemaps.cartocdn.com; font-src 'self' data:; connect-src 'self' brands.home-assistant.io; script-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; manifest-src 'self'"