Security

CSP allowlist

Every origin allowed by Kausa's Content-Security-Policy header and the justification for each.

Sources explicitly allowed in the Content-Security-Policy header and the justification for each.

script-src

Source	Justification
`'self'`	Application scripts.
`'unsafe-inline'`	Wallet adapter libraries (Phantom, Solflare, Backpack) inject inline scripts for adapter detection. Tracked for nonce-based CSP in v2.
`'unsafe-eval'`	`@solana/web3.js` uses `eval`-like constructs for BN.js / buffer polyfills. Required until upstream removes the dependency.

style-src

Source	Justification
`'self'`	Application stylesheets.
`'unsafe-inline'`	Tailwind CSS v4 and shadcn/ui inject inline styles at runtime. Standard for CSS-in-JS patterns.

img-src

Source	Justification
`'self'`	Local images.
`data:`	Wallet icons and generated placeholders.
`blob:`	Canvas-generated content.
`https:`	Campaign images may reference external HTTPS URLs.

connect-src

Source	Justification
`'self'`	API calls to own backend.
`https://api.devnet.solana.com`	Solana devnet RPC.
`https://api.mainnet-beta.solana.com`	Wallet adapter checks mainnet for cluster detection.
`wss://api.devnet.solana.com`	WebSocket subscriptions to devnet.
`wss://api.mainnet-beta.solana.com`	Wallet adapter WebSocket compatibility.

font-src

Source	Justification
`'self'`	Self-hosted fonts.
`data:`	`next/font` embeds woff2 as data URIs.

Future work

Replace 'unsafe-inline' in script-src with nonce-based CSP when wallet adapters support it (v2).
Remove 'unsafe-eval' if upstream @solana/web3.js drops BN.js eval patterns.
Restrict img-src https: to specific CDN domains once campaign image hosting is standardized.

Dependency management policy

How Kausa keeps third-party dependencies current and how the audit gate blocks risky bumps.

CSP enforcement

How Kausa enforces its Content-Security-Policy, reports violations, and responds to incidents.

On this page

script-src style-src img-src connect-src font-src Future work