diff --git a/CHANGELOG.md b/CHANGELOG.md index 12f6261c0..b044d2501 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Verified GitHub review webhook deliveries before processing them. [#1378](https://github.com/sourcebot-dev/sourcebot/pull/1378) - Passed Zoekt index parameters via argv to preserve revision names with punctuation. [#1376](https://github.com/sourcebot-dev/sourcebot/pull/1376) - [EE] Validated OAuth bearer token scopes before allowing access to the Sourcebot MCP resource server. [#1396](https://github.com/sourcebot-dev/sourcebot/pull/1396) +- Added HTTP security headers to all web app responses. [#1407](https://github.com/sourcebot-dev/sourcebot/pull/1407) ## [5.0.4] - 2026-06-18 diff --git a/packages/web/next.config.mjs b/packages/web/next.config.mjs index 48e01b40c..dbf08d2e4 100644 --- a/packages/web/next.config.mjs +++ b/packages/web/next.config.mjs @@ -62,6 +62,46 @@ const nextConfig = { } ]; }, + // Apply HTTP security headers to all responses to align with security + // hardening best practices (defends against clickjacking, MIME-sniffing, + // TLS downgrade, and referrer leakage). We intentionally avoid a strict + // Content-Security-Policy `script-src` here since Next.js, PostHog, and + // Sentry rely on inline scripts; instead CSP is scoped to `frame-ancestors` + // to prevent framing, mirroring the X-Frame-Options directive below. + async headers() { + return [ + { + source: "/:path*", + headers: [ + { + key: "Strict-Transport-Security", + value: "max-age=63072000; includeSubDomains", + }, + { + key: "X-Content-Type-Options", + value: "nosniff", + }, + { + key: "X-Frame-Options", + value: "SAMEORIGIN", + }, + { + key: "Referrer-Policy", + value: "strict-origin-when-cross-origin", + }, + { + key: "Permissions-Policy", + value: "camera=(), microphone=(), geolocation=()", + }, + { + key: "Content-Security-Policy", + value: "frame-ancestors 'self'", + }, + ], + }, + ]; + }, + // This is required to support PostHog trailing slash API requests skipTrailingSlashRedirect: true,