From 4c07cbc60cbf7fcc9f66a908fec7434b05729dbe Mon Sep 17 00:00:00 2001
From: j4y <36337+j4y@users.noreply.github.com>
Date: Fri, 26 Dec 2025 12:05:49 -0500
Subject: [PATCH] feat(csp): add CloudFront response headers policy with
 Content-Security-Policy

- introduce aws_cloudfront_response_headers_policy resource
- define CSP allowing required external scripts (Google Ads, CDNJS)
---
 terraform/website/main.tf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/terraform/website/main.tf b/terraform/website/main.tf
index f886b42..311e1ba 100644
--- a/terraform/website/main.tf
+++ b/terraform/website/main.tf
@@ -90,6 +90,17 @@ resource "aws_s3_bucket_website_configuration" "bucket" {
   ])
 }
 
+resource "aws_cloudfront_response_headers_policy" "csp" {
+  name = "colorcop-csp-policy"
+
+  security_headers_config {
+    content_security_policy {
+      override = true
+      content_security_policy = "default-src 'self'; script-src 'self' 'unsafe-eval' https://pagead2.googlesyndication.com https://googleads.g.doubleclick.net https://cdnjs.cloudflare.com; style-src 'self' https://cdnjs.cloudflare.com 'unsafe-inline'; img-src 'self' data: https://pagead2.googlesyndication.com https://googleads.g.doubleclick.net;"
+    }
+  }
+}
+
 resource "aws_cloudfront_distribution" "distribution" {
   aliases         = [local.www_domain, var.domain]
   comment         = "Cloudfront distribution for ${var.domain}"