fix: add Content-Security-Policy header for XSS defense-in-depth #28617
Description
Issue
Cal.com does not set a Content-Security-Policy (CSP) response header. While other security headers are present (X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin), CSP is missing.
Verification
curl -sI http://localhost:3000/auth/login | grep -i content-security-policy
# No output - header is absentHeaders that ARE present:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Why it matters
CSP is a defense-in-depth mechanism against XSS attacks. Even if input sanitization works correctly (which it does - we verified SQL injection and XSS payloads are sanitized on signup), CSP provides a second layer of protection by restricting what scripts the browser will execute.
Suggested starting point
A minimal CSP for Next.js:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:;
This can be added in next.config.js via the headers() function. A stricter policy with nonces can be adopted later.
Priority
Low — this is a security hardening measure, not a vulnerability. The existing headers cover the most critical protections (clickjacking, MIME sniffing).
Found via automated chaos monkey testing of response headers.