fix(csp): allow secure.helcim.app for HelcimPay.js

The HelcimPay modal loads from secure.helcim.app, but the CSP only listed myposjs.helcim.com (script/connect) and secure.helcim.com (frame, likely a stale typo). Add secure.helcim.app to script-src, connect-src, and frame-src so the join flow's payment modal can load.
2026-04-26 15:59:02 +01:00 · 2026-04-26 15:59:02 +01:00 · e3410c52a5
commit e3410c52a5
parent 210a8d588f
2 changed files with 4 additions and 4 deletions
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@ -17,12 +17,12 @@ export default defineEventHandler((event) => {
    if (!path.startsWith('/oidc/')) {
      headers['Content-Security-Policy'] = [
        "default-src 'self'",
-        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
        "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
        "font-src 'self' https://fonts.gstatic.com",
-        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
-        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
+        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
+        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.app",
        "base-uri 'self'",
        "form-action 'self'",
      ].join('; ')