From 635dfb3221f1370727fc2fc54ecaf26c7212cf0a Mon Sep 17 00:00:00 2001
From: tolelom <98kimsungmin@naver.com>
Date: Tue, 17 Mar 2026 09:19:26 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20Swagger=20UI=20CSP=20=EC=99=84=ED=99=94?=
 =?UTF-8?q?=ED=95=98=EC=97=AC=20=EB=A6=AC=EC=86=8C=EC=8A=A4=20=EB=A1=9C?=
 =?UTF-8?q?=EB=94=A9=20=ED=97=88=EC=9A=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 pkg/middleware/security.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkg/middleware/security.go b/pkg/middleware/security.go
index 260c4bb..9334c77 100644
--- a/pkg/middleware/security.go
+++ b/pkg/middleware/security.go
@@ -1,6 +1,10 @@
 package middleware
 
-import "github.com/gofiber/fiber/v2"
+import (
+	"strings"
+
+	"github.com/gofiber/fiber/v2"
+)
 
 // SecurityHeaders sets common HTTP security headers on every response.
 func SecurityHeaders(c *fiber.Ctx) error {
@@ -8,7 +12,13 @@ func SecurityHeaders(c *fiber.Ctx) error {
 	c.Set("X-Frame-Options", "DENY")
 	c.Set("X-XSS-Protection", "0")
 	c.Set("Referrer-Policy", "strict-origin-when-cross-origin")
-	c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")
+
+	if strings.HasPrefix(c.Path(), "/swagger") {
+		c.Set("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'")
+	} else {
+		c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")
+	}
+
 	c.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 	return c.Next()
 }