fix: fixed csp

app/views/layout.pug

@@ -375,15 +375,6 @@ html.h-100.no-js(
             crossorigin="anonymous"
           )
 
-        //- TODO: remove plausible and migrate to our own
-        //- analytics via plausible.io
-        if (!user || user.group !== 'admin') && isNotPrivateRoute
-          script(
-            defer,
-            data-domain="forwardemail.net",
-            src="https://plausible.io/js/plausible.js"
-          )
-
         //- cloudflare turnstile (hidden from bots and admins)
         if config.turnstileEnabled && (!user || user.group !== 'admin')
           script(defer, nonce=nonce).

config/web.js

@@ -128,6 +128,7 @@ setInterval(checkGitHubIssues, 60000);
 
 const defaultSrc = isSANB(process.env.WEB_HOST)
   ? [
+      "'none'",
       "'self'",
       'data:',
       `${env.NODE_ENV === 'production' ? 'https://' : 'http://'}*.${
@@ -136,7 +137,9 @@ const defaultSrc = isSANB(process.env.WEB_HOST)
       `${env.NODE_ENV === 'production' ? 'https://' : 'http://'}${
         env.WEB_HOST
       }`,
-      ...(env.NODE_ENV === 'production' ? [] : [`http://${env.WEB_HOST}:*`]),
+      ...(env.NODE_ENV === 'production'
+        ? [`https://${env.WEB_HOST}:*`]
+        : [`http://${env.WEB_HOST}:*`]),
       function (req, res) {
         let nonce;
         for (const s of Object.getOwnPropertySymbols(res)) {