Skip to content

[app-bug] next.config.ts ships no Content-Security-Policy or security headers #866

Open
Open
[app-bug] next.config.ts ships no Content-Security-Policy or security headers#866
Labels
area: frontendNext.js frontend applicationarea: securitySecurity vulnerabilities and hardeningdifficulty: mediumRequires domain knowledge, ~1-3 dayspriority: mediumMedium impact, upcoming sprinttype: featureNew capability or enhancement
@Gbangbolaoluwagbemiga

Description

@Gbangbolaoluwagbemiga
Gbangbolaoluwagbemiga
opened on May 21, 2026

Problem

The Next.js config is minimal — no CSP, HSTS, X-Frame-Options, X-Content-Type-Options, or Referrer-Policy. Any user-uploaded content (snippets in /playground, badge URLs in workspace files) currently runs without a CSP backstop.

Acceptance Criteria

  • Add a headers() block to frontend/next.config.ts covering:
    • Content-Security-Policy (default-src 'self', allow inline styles for Tailwind v4 dev only, no eval)
    • Strict-Transport-Security: max-age=31536000; includeSubDomains
    • X-Frame-Options: DENY
    • X-Content-Type-Options: nosniff
    • Referrer-Policy: strict-origin-when-cross-origin
    • Permissions-Policy: camera=(), microphone=(), geolocation=()
  • CSP report-only first behind CSP_REPORT_ONLY=1 env, then promoted to enforced
  • Smoke test: curl headers on /, /scan, and /api/analyze, assert each is present

Pointers

Difficulty

Medium. Tuning the CSP without breaking Next dev is the real work.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: frontendNext.js frontend applicationarea: securitySecurity vulnerabilities and hardeningdifficulty: mediumRequires domain knowledge, ~1-3 dayspriority: mediumMedium impact, upcoming sprinttype: featureNew capability or enhancement

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions