CSP Header Issue with Railway Deployment - Need Help with blob: URLs
Hey Wasp team! I'm deploying to Railway using wasp deploy railway and running into
a Content-Security-Policy issue.
Problem:
• When users drag/drop images into my canvas app, browser creates blob: URLs
• Railway's edge proxy serves the client with a default CSP that blocks blob: URLs
• Error: Refused to load the image 'blob:https://...' because it violates the
following Content Security Policy directive: "img-src 'self' data: https: *"
What I've discovered:
• Railway deploys the client from .wasp/build/web-app/build as static files
• It uses Caddy web server with a default Caddyfile
• The server CSP middleware in serverSetup.ts only applies to API routes, not the
client HTML
What I'm trying:
• Created a custom Caddyfile with the correct CSP header (including blob: in
img-src)
• Copied it to public/Caddyfile so it gets included in the build output
• Railway should detect and use it instead of generating a default one
Questions:
1. Is there an official/recommended way to customize HTTP headers for the Railway
client deployment?
2. Should the server's CSP middleware also apply to serving the client HTML, or is
separating them expected?
3. Any best practices for handling blob: URLs with Wasp + Railway?
The custom Caddyfile approach seems to work based on Railway's build logs, but
wondering if there's a cleaner solution I'm missing!
Thanks!
a Content-Security-Policy issue.
Problem:
• When users drag/drop images into my canvas app, browser creates blob: URLs
• Railway's edge proxy serves the client with a default CSP that blocks blob: URLs
• Error: Refused to load the image 'blob:https://...' because it violates the
following Content Security Policy directive: "img-src 'self' data: https: *"
What I've discovered:
• Railway deploys the client from .wasp/build/web-app/build as static files
• It uses Caddy web server with a default Caddyfile
• The server CSP middleware in serverSetup.ts only applies to API routes, not the
client HTML
What I'm trying:
• Created a custom Caddyfile with the correct CSP header (including blob: in
img-src)
• Copied it to public/Caddyfile so it gets included in the build output
• Railway should detect and use it instead of generating a default one
Questions:
1. Is there an official/recommended way to customize HTTP headers for the Railway
client deployment?
2. Should the server's CSP middleware also apply to serving the client HTML, or is
separating them expected?
3. Any best practices for handling blob: URLs with Wasp + Railway?
The custom Caddyfile approach seems to work based on Railway's build logs, but
wondering if there's a cleaner solution I'm missing!
Thanks!
