RevivalOps CSP header receipt
Date (UTC): 2026-02-18T20:56:01Z
Scope: CSP configuration validation for static release pages.

Configured header (vercel.json):
Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-src 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; form-action 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; upgrade-insecure-requests

curl -I http://127.0.0.1:4321/
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.12.11
Date: Wed, 18 Feb 2026 20:56:00 GMT
Content-type: text/html
Content-Length: 54513
Last-Modified: Wed, 18 Feb 2026 20:52:27 GMT
Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-src 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; form-action 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; upgrade-insecure-requests

curl -I http://127.0.0.1:4321/intake.html
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.12.11
Date: Wed, 18 Feb 2026 20:56:01 GMT
Content-type: text/html
Content-Length: 11642
Last-Modified: Wed, 18 Feb 2026 20:52:27 GMT
Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-src 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; form-action 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; upgrade-insecure-requests

curl -I http://127.0.0.1:4321/process-receipts.html
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.12.11
Date: Wed, 18 Feb 2026 20:56:01 GMT
Content-type: text/html
Content-Length: 21362
Last-Modified: Wed, 18 Feb 2026 20:52:27 GMT
Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-src 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; form-action 'self' https://cal.com https://*.cal.com https://cal.eu https://*.cal.eu; upgrade-insecure-requests

Runtime smoke checks (Playwright):
- / : 200, first-party metrics script loaded (window.revTrack=function), no CSP violation errors.
- /intake.html : 200, booking page script loaded, no CSP violation errors.
- /process-receipts.html : 200, receipt scripts loaded, no CSP violation errors.

Note:
- Local static test server does not implement /api/track POST, so local-only 501 POST logs appear during metrics calls.
- Production header confirmation requires deployment of this vercel.json change.