Rails.application.configure do
	config.content_security_policy do |policy|
		policy.default_src :none
		policy.font_src :self
		policy.img_src :self
		policy.object_src :self
		policy.script_src :self, :unsafe_inline, :unsafe_eval
		policy.style_src :self, :unsafe_inline
		policy.frame_src :self, :data
		policy.connect_src :self

		# if Rails.env.development?
		# 	policy.connect_src :self # LiveReload
		# end
	end

	# Generate session nonces for permitted importmap, inline scripts, and inline styles.
	config.content_security_policy_nonce_generator = -> _ { SecureRandom.hex 16 }
	config.content_security_policy_nonce_directives = %w(script-src style-src)

	# config.content_security_policy_report_only = true
end