9 months ago
Railway CSP blocks blob
Problem
• Drag/drop creates blob: image URLs; Railway’s default CSP blocks them.
Error: Refused to load the image 'blob:...' due to "img-src 'self' data: https: *".
Current Solution (Security Risk):
Use a custom Caddyfile so Railway serves a CSP that allows blob::
:{$PORT} {
root * /app
file_server
header {
Content-Security-Policy "default-src 'self'; img-src 'self' data: https: blob: *; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' data: https:; connect-src 'self' https: wss: ws:; frame-src 'self' https:; media-src 'self' https: blob:; object-src 'none'; base-uri 'self'; form-action 'self';"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "strict-origin-when-cross-origin"
}
encode gzip
try_files {path} /index.html
}
Place the Caddyfile where Railway picks it up and deploy; check logs for “Using custom Caddyfile”.
Security caveat (important)
If you store the Caddyfile under public/static assets, it is web-accessible (e.g., /Caddyfile). That’s a security risk.
1 Replies
9 months ago
If you're trying to use a custom Caddyfile for your static site then try placing the Caddyfile in the root of your static site, otherwise Railway won't use it