docs: Fix CSP security config and add missing meta.json files

Copilot · hotlong · Copilot · commit 5d9b34b97870 · 2026-01-22T10:00:53.000Z
- Remove unsafe-inline from CSP examples, use nonce/hash-based approach
- Add meta.json for docs/guide/cli/ subdirectory
- Add meta.json for docs/ecosystem/deployment/ subdirectory
- Fixes Fumadocs build by ensuring all subdirectories have proper navigation

Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/docs/ecosystem/deployment/meta.json b/docs/ecosystem/deployment/meta.json
@@ -0,0 +1,6 @@
+{
+  "title": "Deployment",
+  "pages": [
+    "showcase-deployment"
+  ]
+}
diff --git a/docs/guide/cli/meta.json b/docs/guide/cli/meta.json
@@ -0,0 +1,7 @@
+{
+  "title": "CLI",
+  "pages": [
+    "getting-started",
+    "runtime-reference"
+  ]
+}
diff --git a/docs/security.md b/docs/security.md
@@ -314,26 +314,48 @@ Implement CSP headers:
 
 ```html
 <!-- In your HTML or via HTTP headers -->
+<!-- Use nonce-based CSP for inline scripts/styles -->
 <meta http-equiv="Content-Security-Policy" 
       content="default-src 'self'; 
-               script-src 'self' 'unsafe-inline'; 
-               style-src 'self' 'unsafe-inline'; 
+               script-src 'self' 'nonce-{random-nonce}'; 
+               style-src 'self' 'nonce-{random-nonce}'; 
                img-src 'self' data: https:; 
                font-src 'self' data:;">
 ```
 
-Or via HTTP header:
+Or via HTTP header with nonce:
 ```javascript
-// Express
+// Express - Generate a unique nonce per request
 app.use((req, res, next) => {
+  const nonce = crypto.randomBytes(16).toString('base64');
+  res.locals.nonce = nonce;
   res.setHeader(
     'Content-Security-Policy',
-    "default-src 'self'; script-src 'self' 'unsafe-inline'"
+    `default-src 'self'; script-src 'self' 'nonce-${nonce}'; style-src 'self' 'nonce-${nonce}'`
   );
   next();
 });
+
+// Then use the nonce in your inline scripts/styles:
+// <script nonce="${nonce}">...</script>
+// <style nonce="${nonce}">...</style>
 ```
 
+**Alternative: Hash-based CSP** (for static inline content):
+```javascript
+// Calculate hash of your inline script/style
+// Then include in CSP
+app.use((req, res, next) => {
+  res.setHeader(
+    'Content-Security-Policy',
+    "default-src 'self'; script-src 'self' 'sha256-{hash-of-script}'; style-src 'self'"
+  );
+  next();
+});
+```
+
+**Note**: Avoid using `'unsafe-inline'` as it significantly weakens XSS protection. Use nonces or hashes instead.
+
 ## Dependency Security
 
 ### Regular Updates
