From c69ec03264aeb78fcb4bf11004b42a64770c4e5e Mon Sep 17 00:00:00 2001
From: Leni Kadali <52788034+lenikadali@users.noreply.github.com>
Date: Fri, 24 Apr 2026 21:04:43 +0300
Subject: [PATCH 1/2] Enable Content Security Policy for AWBW

Enables Content Security Policy for AWBW based on
what we're already using in the codebase (the code
is mostly vanilla Rails with minimal to no JavaScript)
so much of the Rails defaults have removed.
---
 .../initializers/content_security_policy.rb   | 44 ++++++-------------
 1 file changed, 13 insertions(+), 31 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index d5527fe15..c08c8bbef 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -4,34 +4,16 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     # Allow @vite/client to hot reload javascript changes in development
-#     # policy.script_src *policy.script_src, :unsafe_eval, "http://#{ ViteRuby.config.host_with_port }" if Rails.env.development?
-#     # You may need to enable this in production as well depending on your setup.
-#     # policy.script_src *policy.script_src, :blob if Rails.env.test?
-#     policy.style_src   :self, :https
-#     # Allow @vite/client to hot reload style changes in development
-#     # policy.style_src *policy.style_src, :unsafe_inline if Rails.env.development?
-#     # Allow @vite/client to hot reload changes in development
-#     # policy.connect_src *policy.connect_src, "ws://#{ ViteRuby.config.host_with_port }" if Rails.env.development?
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src style-src)
-#
-#   # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`
-#   # if the corresponding directives are specified in `content_security_policy_nonce_directives`.
-#   # config.content_security_policy_nonce_auto = true
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self, :https
+    policy.font_src    :self, :https, :data
+    policy.img_src     :self, :https, :data
+    policy.object_src  :none
+    policy.script_src  :self, :https
+    # Specify URI for violation reports
+    policy.report_uri "/csp-violation-report-endpoint"
+  end
+  # Report violations without enforcing the policy.
+  config.content_security_policy_report_only = true
+end

From 4781727ea4861f63450d3969d992a39399068543 Mon Sep 17 00:00:00 2001
From: Leni Kadali <52788034+lenikadali@users.noreply.github.com>
Date: Thu, 21 May 2026 22:38:31 +0300
Subject: [PATCH 2/2] chore: Update Devise to pass bundler-audit check

---
 Gemfile      | 2 +-
 Gemfile.lock | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gemfile b/Gemfile
index af77ac2e1..181a5318e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -15,7 +15,7 @@ gem "vite_rails"
 gem "jquery-rails"
 gem "jbuilder", "~> 2.0"
 
-gem "devise", "~> 5.0.3"
+gem "devise", "~> 5.0.4"
 gem "draper"
 gem "aws-sdk-s3"
 
diff --git a/Gemfile.lock b/Gemfile.lock
index fd92ca67d..9c527e223 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -177,7 +177,7 @@ GEM
       reline (>= 0.3.8)
     debug_inspector (1.2.0)
     device_detector (1.1.3)
-    devise (5.0.3)
+    devise (5.0.4)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 7.0)
@@ -779,7 +779,7 @@ DEPENDENCIES
   cocoon (~> 1.2.6)
   country_select
   debug (~> 1.11)
-  devise (~> 5.0.3)
+  devise (~> 5.0.4)
   dotenv-rails
   draper
   factory_bot_rails
@@ -878,7 +878,7 @@ CHECKSUMS
   debug (1.11.1) sha256=2e0b0ac6119f2207a6f8ac7d4a73ca8eb4e440f64da0a3136c30343146e952b6
   debug_inspector (1.2.0) sha256=9bdfa02eebc3da163833e6a89b154084232f5766087e59573b70521c77ea68a2
   device_detector (1.1.3) sha256=c5fe3fe42cab2e8aa01f193b2074b8bb1510373ce47127206f28c7dea75a9c79
-  devise (5.0.3) sha256=c4c065051cdc4ace11547b2b7f5c3c4c97d0f1269250f5fe90f614ff78f29546
+  devise (5.0.4) sha256=d605f2b85854e74e56ee789e2d398702bc2d06e6bcd894717a670a3199c74cc1
   diff-lcs (1.6.2) sha256=9ae0d2cba7d4df3075fe8cd8602a8604993efc0dfa934cff568969efb1909962
   docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
   domain_name (0.6.20240107) sha256=5f693b2215708476517479bf2b3802e49068ad82167bcd2286f899536a17d933