CSP

RuniqueApp::builder(config)
    .middleware(|m| {
        m.with_csp(|c| {
            c.policy(SecurityPolicy::strict())
             .with_header_security(true)        // X-Frame-Options, X-Content-Type, etc.
             .with_upgrade_insecure(!is_debug()) // HTTP → HTTPS in prod
             .images(vec!["''self''", "data:"])  // Allow data: for images
        })
    })

// Strict: blocks everything not explicitly allowed
SecurityPolicy::strict()

// Permissive: for dev / migration phases
SecurityPolicy::permissive()

// Generated header (strict):
// Content-Security-Policy:
//   default-src ''self'';
//   script-src ''self'' ''nonce-abc123'';
//   style-src ''self'';
//   img-src ''self'' data:;
//   object-src ''none'';
//   frame-ancestors ''none'';
//   upgrade-insecure-requests

{# The nonce is regenerated on every request.
   It is automatically injected into the CSP header. #}
<script nonce="{{ csp_nonce }}">
    // This inline script is allowed by CSP
    document.querySelector(''form'').addEventListener(''submit'', ...);
</script>