From 7b44fd5d0a49341156fe3e6bca5a843d1953f875 Mon Sep 17 00:00:00 2001
From: Moritz Marby <moritz.marby@sap.com>
Date: Wed, 5 Nov 2025 09:50:29 +0100
Subject: [PATCH 1/2] feat(security): enhance content security policy and add
 HSTS configuration

---
 server.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/server.ts b/server.ts
index 9c025a82..6c196ded 100644
--- a/server.ts
+++ b/server.ts
@@ -94,6 +94,9 @@ if (DYNATRACE_SCRIPT_URL) {
 fastify.register(helmet, {
   contentSecurityPolicy: {
     directives: {
+      defaultSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'https:'],
       'connect-src': ["'self'", 'sdk.openui5.org', sentryHost, dynatraceOrigin],
       'script-src': isLocalDev
         ? ["'self'", "'unsafe-inline'", "'unsafe-eval'", sentryHost, dynatraceOrigin]
@@ -102,6 +105,12 @@ fastify.register(helmet, {
       'frame-ancestors': [...fastify.config.FRAME_ANCESTORS.split(',')],
     },
   },
+  // Needed for https enforcement
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true,
+  },
 });
 
 fastify.register(proxy, {

From e408b0ca0cdefa5813d3faf8a512642598a4f64d Mon Sep 17 00:00:00 2001
From: Moritz Marby <moritz.marby@sap.com>
Date: Wed, 5 Nov 2025 09:53:29 +0100
Subject: [PATCH 2/2] fix(build): only enable sourcemaps if not building for
 production

---
 vite.config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vite.config.js b/vite.config.js
index 283c2549..6d8e139d 100644
--- a/vite.config.js
+++ b/vite.config.js
@@ -35,7 +35,7 @@ export default defineConfig({
   },
 
   build: {
-    sourcemap: true,
+    sourcemap: process.env.NODE_ENV !== 'production',
     target: 'esnext', // Support top-level await
   },
 });