During development, you'll see a warning about Content Security Policy:
Electron Security Warning (Insecure Content-Security-Policy)
This is expected and normal during development because:
- Development Mode: Vite and other dev tools require
'unsafe-eval'for hot module replacement (HMR) and dev features - The warning only appears in development: It won't show in packaged production apps
- Production builds have strict CSP: The app applies a strict CSP policy in production mode
✅ Context Isolation: Enabled to isolate renderer process from Node.js ✅ Node Integration: Disabled in renderer for security ✅ Web Security: Enabled to enforce same-origin policy ✅ Secure IPC: All API calls go through a secure preload bridge ✅ Domain Whitelisting: Only allowed domains can be accessed ✅ Encrypted Storage: Credentials stored with encryption
In production, the app enforces:
- No
unsafe-evalin scripts - Only self-hosted scripts allowed
- API connections limited to Datalayer domains
- No inline scripts (except styles with
unsafe-inlinefor UI libraries)
| Feature | Development | Production |
|---|---|---|
| CSP Warning | Shows | Hidden |
| unsafe-eval | Allowed (for HMR) | Blocked |
| DevTools | Open | Closed |
| Debug Logs | Enabled | Disabled |
The security warning is a helpful reminder but doesn't indicate a problem during development.