From 4e408cbc4243153371f982bea228a955a7973c87 Mon Sep 17 00:00:00 2001
From: Tom Misilo <1446856+misilot@users.noreply.github.com>
Date: Wed, 5 May 2021 12:51:47 -0500
Subject: [PATCH] Fix CSP Always being Enabled unless in debug mode. (#9543)

---
 app/Http/Middleware/SecurityHeaders.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php
index 4a75d6ec29..8a3800ffe6 100644
--- a/app/Http/Middleware/SecurityHeaders.php
+++ b/app/Http/Middleware/SecurityHeaders.php
@@ -99,7 +99,7 @@ class SecurityHeaders
         // We have to exclude debug mode here because debugbar pulls from a CDN or two
         // and it will break things.
 
-        if ((config('app.debug')!='true')  || (config('app.enable_csp')=='true')) {
+        if ((config('app.debug')!='true')  && (config('app.enable_csp')=='true')) {
             $csp_policy[] = "default-src 'self'";
             $csp_policy[] = "style-src 'self' 'unsafe-inline'";
             $csp_policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval'";