fix: Add CSP connectSrc directive for AI API calls

- Added connectSrc to Content Security Policy - Allow connections to OpenAI, 智谱AI, Azure OpenAI, Anthropic, and Google AI APIs - Fixes CSP violation error when calling external AI services in production - Resolves: 'Refused to connect because it violates the document's Content Security Policy'
2026-02-28 05:33:11 +08:00 · 2025-08-22 16:14:28 +08:00
parent 954b37fe7a
commit 8657600c21
1 changed files with 8 additions and 0 deletions
--- a/server/index.cjs
+++ b/server/index.cjs
@@ -36,6 +36,14 @@ app.use(helmet({
      styleSrc: ["'self'", "'unsafe-inline'"],
      scriptSrc: ["'self'"],
      imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: [
+        "'self'",
+        "https://api.openai.com",
+        "https://open.bigmodel.cn",
+        "https://*.openai.azure.com",
+        "https://api.anthropic.com",
+        "https://generativelanguage.googleapis.com"
+      ],
    },
  },
  crossOriginEmbedderPolicy: false