Content Security Policy. on shared hosting with two nodejs aps

hello everyone

i working on sveltekit and strapi project
put it on shared hosting with cpanel.
my sveltekit response on /
strapi on /api
strapi response on api calls, and while loading admin, i got page title strapi.
seems like everything working but i enconted problem with Content Security Policy: inline («script-src»).
all appliction loads. but my route api/admin ends with this error
and could load/get hostname/admin/runtime~main.306e5e56.js
i guess something should be done with the headers?
or i guess better option will be to place on sub domain?

oh i forget, now my server runnig
Welcome back!
To manage your project :rocket:, go to the administration panel at:

To access the server :zap:, go to:

previously i read that it possible to use such settings, should i use my domain host name instead?

one more time to make sure that /api/admin rerpons
curl -I Strapi Admin
HTTP/1.1 200 OK

so browser prevent running
in next function
function injectScriptSync(src) {
let code = ‘’;
const request = new XMLHttpRequest();
request.addEventListener(‘load’, function () {
code = this.responseText;
});‘GET’, src, false);
const script = document.createElement(‘script’);
script.textContent = code; // This script runs before the element is created,
// so we add the script to instead.

so when runstrapi app on / such problem doesn’t appear. but before that i manupulate my ENV varibles should i rebuild admin panel.

as i’m on shared hosting it’s not that trivial task

looking for a sollution in Middleware config on strapi docs

contentSecurityPolicy Set the Content-Security-Policy header Object

Overview of standart

strapi offcial docs

also for reference

added some policies to response including my domain, and ‘self’ . browser steel prevents loading

response headers
script-src ‘self’ ‘’;connect-src ‘self’ https:;img-src ‘self’ data: blob:;media-src ‘self’ data: blob:;default-src ‘self’;base-uri ‘self’;font-src ‘self’ https: data:;form-action ‘self’;frame-ancestors ‘self’;object-src ‘none’;script-src-attr ‘none’;style-src ‘self’ https: ‘unsafe-inline’

one more thing
console.log also show error not found
should this script be downloaded as above?

fetch request

ias i asked before should i rebuilt admin, cuse my app now located on {host}/api

or this error comes from content security

solved probllem with CONTENT SECURITY
need to implemt ‘unsafe-inline’ in midleweare config
but scripts not loaded
error not found, heh guess i need to rebuilt admin(((

ok, for script download error i rebuilt admin panel with
stop all procceses and server
npm run build
and than rerun server NODE_ENV=production npm run start

almoust there
already have beautiful spinner but new error

TypeError: (intermediate value) is undefined
in main.js dfsdfsdf

TypeError: (intermediate value) is undefined
11094 /api/admin/main.eb93c48a.js:761
11094 /api/admin/main.eb93c48a.js:761
e /api/admin/runtime~main.cda6b828.js:1
E /api/admin/main.eb93c48a.js:2926
r /api/admin/runtime~main.cda6b828.js:2
11094 /api/admin/main.eb93c48a.js:761
11094 /api/admin/main.eb93c48a.js:761
e api/admin/runtime~main.cda6b828.js:1
E /api/admin/main.eb93c48a.js:2926
<анонимный> /api/admin/main.eb93c48a.js:2926
r /api/admin/runtime~main.cda6b828.js:2
<анонимный> /api/admin/main.eb93c48a.js:1

also getting error on UI error occurs on requesting API or smth like this

deleted unrealated