fix: remove upgrade-insecure-requests CSP, protect stratagems via API auth

2026-03-30 13:39:28 +02:00
parent 3c22196f81
commit 111f93da44
4 changed files with 17 additions and 97 deletions
@@ -90,11 +90,12 @@ async function checkAuth() {
  }
 }

-function onLoggedIn() {
+async function onLoggedIn() {
  document.getElementById('main-nav').classList.remove('hidden');
  document.getElementById('nav-username').textContent = state.user.user;
  document.getElementById('nav-admin').classList.toggle('hidden', state.user.role !== 'admin');
-  state.stratagems = window.STRATAGEMS || [];
+  // Stratagems are served via authenticated API – not as a public static file
+  state.stratagems = await api('GET', '/stratagems').catch(() => []);
  connectWS();
  showView('dashboard');
 }