Skip to content

fix: Add HTTP security headers and Content-Security-Policy#92

Open
NeduTheDev1 wants to merge 2 commits into
soumen0818:mainfrom
NeduTheDev1:fix/security-headers-csp
Open

fix: Add HTTP security headers and Content-Security-Policy#92
NeduTheDev1 wants to merge 2 commits into
soumen0818:mainfrom
NeduTheDev1:fix/security-headers-csp

Conversation

@NeduTheDev1

@NeduTheDev1 NeduTheDev1 commented Jun 24, 2026

Copy link
Copy Markdown
  • Add CSP header allowing Supabase, Pinata gateway, Soroban RPC, and Freighter
  • Add HSTS with preload
  • Add X-Content-Type-Options: nosniff to prevent MIME sniffing
  • Add X-Frame-Options: DENY to prevent clickjacking
  • Add Referrer-Policy: strict-origin-when-cross-origin
  • Add Permissions-Policy to restrict camera, microphone, geolocation, payment
  • Add X-XSS-Protection header for legacy browser support
  • Configure CSP to allow necessary resources while maintaining security

Fixes #91

Closes #91

Summary by CodeRabbit

  • New Features
    • Added stronger security headers across the app, including a comprehensive content security policy, clickjacking protection, and referrer controls.
    • Improved browser-side safeguards with additional policy headers for content type handling, permissions, and cross-site scripting protection.

- Add CSP header allowing Supabase, Pinata gateway, Soroban RPC, and Freighter
- Add HSTS with preload
- Add X-Content-Type-Options: nosniff to prevent MIME sniffing
- Add X-Frame-Options: DENY to prevent clickjacking
- Add Referrer-Policy: strict-origin-when-cross-origin
- Add Permissions-Policy to restrict camera, microphone, geolocation, payment
- Add X-XSS-Protection header for legacy browser support
- Configure CSP to allow necessary resources while maintaining security

Fixes soumen0818#91
@vercel

vercel Bot commented Jun 24, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the sdas721444-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6027cfac-679b-4a23-896c-a77d2676cb53

📥 Commits

Reviewing files that changed from the base of the PR and between 0057339 and 19eb9b0.

📒 Files selected for processing (1)
  • frontend/next.config.ts

📝 Walkthrough

Walkthrough

frontend/next.config.ts now adds an async headers() function that applies a route-wide Content-Security-Policy and several other security headers to all paths.

Changes

HTTP Security Headers

Layer / File(s) Summary
Security headers function and nextConfig wiring
frontend/next.config.ts
Adds async headers() returning a catch-all route header set with a constructed Content-Security-Policy plus X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security, and X-XSS-Protection.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related issues

  • #91: No HTTP security headers / Content-Security-Policy — This PR directly adds the missing headers() configuration and the listed security headers in frontend/next.config.ts.
  • #80 — Also targets adding production security headers/CSP in frontend/next.config.ts.

Possibly related PRs

Suggested reviewers: soumen0818

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: adding HTTP security headers and a CSP.
Description check ✅ Passed The description covers what changed and why, with only the Testing and Notes template sections omitted.
Linked Issues check ✅ Passed The PR adds the requested headers and CSP allowances for the listed services, satisfying issue #91's core requirements.
Out of Scope Changes check ✅ Passed The changes stay within frontend security-header configuration and do not introduce unrelated scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@drips-wave

drips-wave Bot commented Jun 24, 2026

Copy link
Copy Markdown

@NeduTheDev1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
frontend/next.config.ts (2)

42-45: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

X-XSS-Protection is deprecated; prefer 0 or omit it.

The legacy XSS auditor has been removed from modern browsers and 1; mode=block can itself introduce side-channel/XS-issues in older engines. Current guidance (and most securityheaders.com configs) is to disable it and rely on the CSP instead.

🛡️ Suggested change
         {
           key: 'X-XSS-Protection',
-          value: '1; mode=block',
+          value: '0',
         },
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/next.config.ts` around lines 42 - 45, The securityHeaders
configuration in next.config.ts still sets X-XSS-Protection to 1; mode=block,
which is deprecated. Update the header entry in the security headers array to
disable it with 0 or remove the X-XSS-Protection header entirely, relying on the
existing CSP instead; use the securityHeaders configuration block to locate the
change.

38-41: 🔒 Security & Privacy | 🔵 Trivial

Consider the operational cost of HSTS preload.

includeSubDomains; preload with a 2-year max-age is a strong, hard-to-reverse commitment: every current and future subdomain must serve valid HTTPS, and removal from browser preload lists is slow. Confirm all subdomains are HTTPS-ready before submitting to the preload list. Until then, you may want to ship without preload first and add it once verified.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/next.config.ts` around lines 38 - 41, The Strict-Transport-Security
header in the Next.js config is currently sending a preload commitment, which is
too aggressive unless every subdomain is fully HTTPS-ready. Update the header
definition in next.config.ts so the HSTS policy is shipped without preload
first, keeping the max-age and other settings aligned with your deployment
readiness, and only add preload later once all subdomains are verified. Use the
existing header entry under the security headers config to make this change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/next.config.ts`:
- Line 16: The CSP in next.config.ts is missing the Soroban RPC hosts used by
frontend/src/lib/stellar.ts, so default on-chain calls can be blocked. Update
the connect-src directive alongside the existing Stellar hosts to include both
soroban-testnet.stellar.org and soroban-mainnet.stellar.org, keeping the current
rpc-futurenet entry as well.
- Line 12: Tighten the CSP in the Next.js config by removing the blanket
`script-src` bypasses in the CSP string and switching `script-src` to a
nonce/hash-based approach, while keeping `next.config.ts` as the place where the
header is built. Also update `connect-src` to include the Soroban RPC endpoints
used by the app, namely the testnet and mainnet Stellar Soroban origins, so
requests from the app are not blocked.

---

Nitpick comments:
In `@frontend/next.config.ts`:
- Around line 42-45: The securityHeaders configuration in next.config.ts still
sets X-XSS-Protection to 1; mode=block, which is deprecated. Update the header
entry in the security headers array to disable it with 0 or remove the
X-XSS-Protection header entirely, relying on the existing CSP instead; use the
securityHeaders configuration block to locate the change.
- Around line 38-41: The Strict-Transport-Security header in the Next.js config
is currently sending a preload commitment, which is too aggressive unless every
subdomain is fully HTTPS-ready. Update the header definition in next.config.ts
so the HSTS policy is shipped without preload first, keeping the max-age and
other settings aligned with your deployment readiness, and only add preload
later once all subdomains are verified. Use the existing header entry under the
security headers config to make this change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9d3f6713-f0ce-43c5-819d-bd6e123e3d8b

📥 Commits

Reviewing files that changed from the base of the PR and between 24c85b7 and 0057339.

📒 Files selected for processing (1)
  • frontend/next.config.ts

Comment thread frontend/next.config.ts
Comment thread frontend/next.config.ts
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"img-src 'self' data: https: blob:",
"font-src 'self' https://fonts.gstatic.com",
"connect-src 'self' https://*.supabase.co https://gateway.pinata.cloud https://*.ipfs.dweb.link https://horizon.stellar.org https://horizon-testnet.stellar.org https://rpc-futurenet.stellar.org wss://*.supabase.co",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find RPC / Horizon / Soroban endpoints referenced in the frontend to cross-check against connect-src.
rg -nP --type=ts --type=tsx -e 'https?://[a-zA-Z0-9.-]*stellar\.org' -e 'soroban' -e 'rpcUrl|RPC_URL|networkUrl|horizonUrl' frontend || \
rg -nP -e 'https?://[a-zA-Z0-9.-]*stellar\.org' -e 'soroban' frontend

Repository: soumen0818/ACREDIA-STELLAR

Length of output: 2409


🏁 Script executed:

#!/bin/bash
sed -n '1,120p' frontend/src/lib/stellar.ts
sed -n '1,80p' frontend/next.config.ts

Repository: soumen0818/ACREDIA-STELLAR

Length of output: 4361


🏁 Script executed:

#!/bin/bash
sed -n '1,120p' frontend/src/lib/stellar.ts
sed -n '1,80p' frontend/next.config.ts

Repository: soumen0818/ACREDIA-STELLAR

Length of output: 4361


Add Soroban RPC hosts to connect-src. frontend/src/lib/stellar.ts uses https://soroban-testnet.stellar.org by default (and https://soroban-mainnet.stellar.org for mainnet), but frontend/next.config.ts only allows https://rpc-futurenet.stellar.org. That will block the default testnet on-chain calls under CSP.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/next.config.ts` at line 16, The CSP in next.config.ts is missing the
Soroban RPC hosts used by frontend/src/lib/stellar.ts, so default on-chain calls
can be blocked. Update the connect-src directive alongside the existing Stellar
hosts to include both soroban-testnet.stellar.org and
soroban-mainnet.stellar.org, keeping the current rpc-futurenet entry as well.

@soumen0818

Copy link
Copy Markdown
Owner
  • Add CSP header allowing Supabase, Pinata gateway, Soroban RPC, and Freighter
  • Add HSTS with preload
  • Add X-Content-Type-Options: nosniff to prevent MIME sniffing
  • Add X-Frame-Options: DENY to prevent clickjacking
  • Add Referrer-Policy: strict-origin-when-cross-origin
  • Add Permissions-Policy to restrict camera, microphone, geolocation, payment
  • Add X-XSS-Protection header for legacy browser support
  • Configure CSP to allow necessary resources while maintaining security

Fixes #91

Closes #91

Summary by CodeRabbit

  • New Features

    • Added stronger security headers across the app, including content security, clickjacking protection, referrer controls, and transport security.
    • Improved browser-side protection with additional policy headers for content type handling, permissions, and cross-site scripting safeguards.

Hey, you just added a file; please analyse the issue very carefully and then update accordingly. Then create a fresh PR.

@NeduTheDev1 NeduTheDev1 requested a review from soumen0818 as a code owner July 5, 2026 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

No HTTP security headers / Content-Security-Policy

2 participants