Security Headers

If you use CSP, you need to expand your policy with the following additions.

At minimum you need to add to connect-src so a client script can post and retrieve comments.

If you use the provided client script add to script-src so the client can be imported.


A complete CSP might look something like this:

default-src 'self'; script-src 'self'; connect-src 'self';