CSP-Flag

deploy/quadlet/README.md

@@ -86,6 +86,10 @@ Default workflow mode uses user services (`systemctl --user`) and rootless Podma
 
 So no root sudo is required for normal deploy runs.
 
+CSP hardening recommendation:
+- Keep a single CSP source to avoid policy conflicts.
+- In these templates, Traefik sets CSP and app-level CSP is disabled via `APP_CSP_ENABLED=false`.
+
 Required sudo permissions for the Gitea runner user (example):
 
 ```text