fix(csp): allow Cloudflare Turnstile domains for script, frame, and connect

[waleedlatif1]

Summary

• Add `https://challenges.cloudflare.com\` to `script-src`, `frame-src`, and `connect-src` in both build-time and runtime CSP configs
• This was blocking the Turnstile widget iframe from loading entirely, causing captcha verification to always fail — the actual root cause of the signup blocker

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 4, 2026 10:45pm

[cursor]

PR Summary

Medium Risk
Expands the Content Security Policy to permit an additional third-party origin; low code complexity, but CSP relaxations can increase exposure if mis-scoped or unintended in affected pages.

Overview
Fixes captcha/signup failures by adding https://challenges.cloudflare.com to the CSP allowlists.

Updates both the build-time directives and the runtime-generated CSP header to permit Cloudflare Turnstile resources via script-src, connect-src, and frame-src.

^{Reviewed by Cursor Bugbot for commit 5f791ff. Configure here.}

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 5f791ff. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a CSP misconfiguration that was blocking the Cloudflare Turnstile captcha widget from loading on the signup page, which was the root cause of signup failures.

• Adds https://challenges.cloudflare.com to script-src (allows Turnstile JS to load), frame-src (allows Turnstile iframe challenge to render), and connect-src (allows verification fetch requests) in buildTimeCSPDirectives
• Applies the same three additions consistently to the runtime generateRuntimeCSP() string template
• Both CSP representations (build-time object and runtime string) are updated in lockstep — no drift between them
• The domain https://challenges.cloudflare.com is a legitimate, well-known Cloudflare-owned domain used exclusively for security challenges; adding it does not introduce any new attack surface

Confidence Score: 5/5

Safe to merge — minimal, targeted CSP fix for a legitimate Cloudflare-owned domain

No P0 or P1 issues found. The change is a straightforward allowlist addition to a well-known, trusted Cloudflare domain required for Turnstile captcha functionality. Both CSP representations (build-time and runtime) are updated consistently with no drift.

No files require special attention

Important Files Changed

Filename	Overview
apps/sim/lib/core/security/csp.ts	Adds https://challenges.cloudflare.com to script-src, frame-src, and connect-src in both build-time and runtime CSP configs to fix blocked Turnstile widget

Sequence Diagram

sequenceDiagram
    participant Browser
    participant App as Sim App
    participant CF as challenges.cloudflare.com

    Browser->>App: Load signup page
    App-->>Browser: HTML + CSP header
    Note over Browser,CF: script-src, frame-src, connect-src now allow challenges.cloudflare.com
    Browser->>CF: Load Turnstile script (script-src ✓)
    CF-->>Browser: Turnstile JS widget
    Browser->>CF: Load Turnstile iframe (frame-src ✓)
    CF-->>Browser: Challenge UI
    Browser->>CF: Verification request (connect-src ✓)
    CF-->>Browser: Turnstile token
    Browser->>App: Submit form with token
    App->>CF: Server-side token validation
    CF-->>App: Validation result

Loading

_{Reviews (1): Last reviewed commit: "fix(csp): allow Cloudflare Turnstile dom..." | Re-trigger Greptile}