disable server unless explicitly opted in (#7529)

2026-03-31 14:22:27 +00:00 · 2026-01-09 16:33:46 -05:00
parent 75df5040ea
commit 982b71e861
6 changed files with 194 additions and 49 deletions
--- a/packages/opencode/src/server/server.ts
+++ b/packages/opencode/src/server/server.ts
@@ -2826,6 +2826,10 @@ export namespace Server {
              host: "app.opencode.ai",
            },
          })
+          response.headers.set(
+            "Content-Security-Policy",
+            "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'",
+          )
          return response
        }) as unknown as Hono,
  )