2 months ago
Railway CSP blocks blob
Problem
• Drag/drop creates blob: image URLs; Railway’s default CSP blocks them.
Error: Refused to load the image 'blob:…' due to "img-src 'self' data: https: *".
Current Solution (Security Risk):
Use a custom Caddyfile so Railway serves a CSP that allows blob::
:{$PORT} {
root * /app
fileserver header { Content-Security-Policy "default-src 'self'; img-src 'self' data: https: blob: *; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' data: https:; connect-src 'self' https: wss: ws:; frame-src 'self' https:; media-src 'self' https: blob:; object-src 'none'; base-uri 'self'; form-action 'self';" X-Content-Type-Options "nosniff" X-Frame-Options "SAMEORIGIN" Referrer-Policy "strict-origin-when-cross-origin" } encode gzip tryfiles {path} /index.html
}
Place the Caddyfile where Railway picks it up and deploy; check logs for “Using custom Caddyfile”.
Security caveat (important)
If you store the Caddyfile under public/static assets, it is web-accessible (e.g., /Caddyfile). That’s a security risk.
0 Replies
2 months ago
If you're trying to use a custom Caddyfile for your static site then try placing the Caddyfile in the root of your static site, otherwise Railway won't use it