From 04cae15b9d333de21d98a4d1be8ed32813d88a8a Mon Sep 17 00:00:00 2001 From: msukkari Date: Tue, 30 Jun 2026 20:28:53 -0700 Subject: [PATCH 1/4] fix(web): add HTTP security headers to all responses Addresses the missing HTTP security headers finding by setting HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and a frame-ancestors CSP on all responses via the Next.js headers() config. Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 1 + packages/web/next.config.mjs | 40 ++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12f6261c0..7132b50f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Verified GitHub review webhook deliveries before processing them. [#1378](https://github.com/sourcebot-dev/sourcebot/pull/1378) - Passed Zoekt index parameters via argv to preserve revision names with punctuation. [#1376](https://github.com/sourcebot-dev/sourcebot/pull/1376) - [EE] Validated OAuth bearer token scopes before allowing access to the Sourcebot MCP resource server. [#1396](https://github.com/sourcebot-dev/sourcebot/pull/1396) +- Added HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CSP frame-ancestors) to all web app responses. [#1397](https://github.com/sourcebot-dev/sourcebot/pull/1397) ## [5.0.4] - 2026-06-18 diff --git a/packages/web/next.config.mjs b/packages/web/next.config.mjs index 48e01b40c..dbf08d2e4 100644 --- a/packages/web/next.config.mjs +++ b/packages/web/next.config.mjs @@ -62,6 +62,46 @@ const nextConfig = { } ]; }, + // Apply HTTP security headers to all responses to align with security + // hardening best practices (defends against clickjacking, MIME-sniffing, + // TLS downgrade, and referrer leakage). We intentionally avoid a strict + // Content-Security-Policy `script-src` here since Next.js, PostHog, and + // Sentry rely on inline scripts; instead CSP is scoped to `frame-ancestors` + // to prevent framing, mirroring the X-Frame-Options directive below. + async headers() { + return [ + { + source: "/:path*", + headers: [ + { + key: "Strict-Transport-Security", + value: "max-age=63072000; includeSubDomains", + }, + { + key: "X-Content-Type-Options", + value: "nosniff", + }, + { + key: "X-Frame-Options", + value: "SAMEORIGIN", + }, + { + key: "Referrer-Policy", + value: "strict-origin-when-cross-origin", + }, + { + key: "Permissions-Policy", + value: "camera=(), microphone=(), geolocation=()", + }, + { + key: "Content-Security-Policy", + value: "frame-ancestors 'self'", + }, + ], + }, + ]; + }, + // This is required to support PostHog trailing slash API requests skipTrailingSlashRedirect: true, From 5466592fe788c358213e41204059ad8271e8183d Mon Sep 17 00:00:00 2001 From: msukkari Date: Tue, 30 Jun 2026 20:29:07 -0700 Subject: [PATCH 2/4] chore: fix CHANGELOG PR link Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7132b50f5..663071f63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,7 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Verified GitHub review webhook deliveries before processing them. [#1378](https://github.com/sourcebot-dev/sourcebot/pull/1378) - Passed Zoekt index parameters via argv to preserve revision names with punctuation. [#1376](https://github.com/sourcebot-dev/sourcebot/pull/1376) - [EE] Validated OAuth bearer token scopes before allowing access to the Sourcebot MCP resource server. [#1396](https://github.com/sourcebot-dev/sourcebot/pull/1396) -- Added HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CSP frame-ancestors) to all web app responses. [#1397](https://github.com/sourcebot-dev/sourcebot/pull/1397) +- Added HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CSP frame-ancestors) to all web app responses. [#1397](https://github.com/sourcebot-dev/sourcebot/pull/1407) ## [5.0.4] - 2026-06-18 From 269b7385bfb16ffd8b1e56bf225d23222b06dc20 Mon Sep 17 00:00:00 2001 From: msukkari Date: Tue, 30 Jun 2026 20:37:40 -0700 Subject: [PATCH 3/4] chore: fix CHANGELOG PR id mismatch Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 663071f63..99211e8f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,7 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Verified GitHub review webhook deliveries before processing them. [#1378](https://github.com/sourcebot-dev/sourcebot/pull/1378) - Passed Zoekt index parameters via argv to preserve revision names with punctuation. [#1376](https://github.com/sourcebot-dev/sourcebot/pull/1376) - [EE] Validated OAuth bearer token scopes before allowing access to the Sourcebot MCP resource server. [#1396](https://github.com/sourcebot-dev/sourcebot/pull/1396) -- Added HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CSP frame-ancestors) to all web app responses. [#1397](https://github.com/sourcebot-dev/sourcebot/pull/1407) +- Added HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CSP frame-ancestors) to all web app responses. [#1407](https://github.com/sourcebot-dev/sourcebot/pull/1407) ## [5.0.4] - 2026-06-18 From 738cdf447e0632d637e6baac37acb56e9c5fc35a Mon Sep 17 00:00:00 2001 From: msukkari Date: Tue, 30 Jun 2026 20:38:16 -0700 Subject: [PATCH 4/4] chore: simplify CHANGELOG security headers entry Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 99211e8f6..b044d2501 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,7 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Verified GitHub review webhook deliveries before processing them. [#1378](https://github.com/sourcebot-dev/sourcebot/pull/1378) - Passed Zoekt index parameters via argv to preserve revision names with punctuation. [#1376](https://github.com/sourcebot-dev/sourcebot/pull/1376) - [EE] Validated OAuth bearer token scopes before allowing access to the Sourcebot MCP resource server. [#1396](https://github.com/sourcebot-dev/sourcebot/pull/1396) -- Added HTTP security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CSP frame-ancestors) to all web app responses. [#1407](https://github.com/sourcebot-dev/sourcebot/pull/1407) +- Added HTTP security headers to all web app responses. [#1407](https://github.com/sourcebot-dev/sourcebot/pull/1407) ## [5.0.4] - 2026-06-18