From 66b46bca9deb1ebbb9b2ab6edf8752755437a440 Mon Sep 17 00:00:00 2001
From: bpeng <b.peng@gns.cri.nz>
Date: Fri, 6 Mar 2026 14:32:42 +1300
Subject: [PATCH] fix: update handler csp to enforce https

---
 weft/handlers.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/weft/handlers.go b/weft/handlers.go
index 7eb3aec..b4db8ed 100644
--- a/weft/handlers.go
+++ b/weft/handlers.go
@@ -59,7 +59,7 @@ var compressibleMimes = map[string]bool{
 
 var defaultCsp = map[string]string{
 	"default-src":     "'none'",
-	"img-src":         "'self' *.geonet.org.nz data: https://*.google-analytics.com https://*.googletagmanager.com",
+	"img-src":         "'self' https://*.geonet.org.nz data: https://*.google-analytics.com https://*.googletagmanager.com",
 	"font-src":        "'self' https://fonts.gstatic.com",
 	"style-src":       "'self'",
 	"script-src":      "'self'",