fix: Add HTTP security headers and Content-Security-Policy#92
fix: Add HTTP security headers and Content-Security-Policy#92NeduTheDev1 wants to merge 2 commits into
Conversation
- Add CSP header allowing Supabase, Pinata gateway, Soroban RPC, and Freighter - Add HSTS with preload - Add X-Content-Type-Options: nosniff to prevent MIME sniffing - Add X-Frame-Options: DENY to prevent clickjacking - Add Referrer-Policy: strict-origin-when-cross-origin - Add Permissions-Policy to restrict camera, microphone, geolocation, payment - Add X-XSS-Protection header for legacy browser support - Configure CSP to allow necessary resources while maintaining security Fixes soumen0818#91
|
Someone is attempting to deploy a commit to the sdas721444-gmailcom's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthrough
ChangesHTTP Security Headers
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related issues
Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@NeduTheDev1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
frontend/next.config.ts (2)
42-45: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
X-XSS-Protectionis deprecated; prefer0or omit it.The legacy XSS auditor has been removed from modern browsers and
1; mode=blockcan itself introduce side-channel/XS-issues in older engines. Current guidance (and most securityheaders.com configs) is to disable it and rely on the CSP instead.🛡️ Suggested change
{ key: 'X-XSS-Protection', - value: '1; mode=block', + value: '0', },🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@frontend/next.config.ts` around lines 42 - 45, The securityHeaders configuration in next.config.ts still sets X-XSS-Protection to 1; mode=block, which is deprecated. Update the header entry in the security headers array to disable it with 0 or remove the X-XSS-Protection header entirely, relying on the existing CSP instead; use the securityHeaders configuration block to locate the change.
38-41: 🔒 Security & Privacy | 🔵 TrivialConsider the operational cost of HSTS
preload.
includeSubDomains; preloadwith a 2-year max-age is a strong, hard-to-reverse commitment: every current and future subdomain must serve valid HTTPS, and removal from browser preload lists is slow. Confirm all subdomains are HTTPS-ready before submitting to the preload list. Until then, you may want to ship withoutpreloadfirst and add it once verified.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@frontend/next.config.ts` around lines 38 - 41, The Strict-Transport-Security header in the Next.js config is currently sending a preload commitment, which is too aggressive unless every subdomain is fully HTTPS-ready. Update the header definition in next.config.ts so the HSTS policy is shipped without preload first, keeping the max-age and other settings aligned with your deployment readiness, and only add preload later once all subdomains are verified. Use the existing header entry under the security headers config to make this change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@frontend/next.config.ts`:
- Line 16: The CSP in next.config.ts is missing the Soroban RPC hosts used by
frontend/src/lib/stellar.ts, so default on-chain calls can be blocked. Update
the connect-src directive alongside the existing Stellar hosts to include both
soroban-testnet.stellar.org and soroban-mainnet.stellar.org, keeping the current
rpc-futurenet entry as well.
- Line 12: Tighten the CSP in the Next.js config by removing the blanket
`script-src` bypasses in the CSP string and switching `script-src` to a
nonce/hash-based approach, while keeping `next.config.ts` as the place where the
header is built. Also update `connect-src` to include the Soroban RPC endpoints
used by the app, namely the testnet and mainnet Stellar Soroban origins, so
requests from the app are not blocked.
---
Nitpick comments:
In `@frontend/next.config.ts`:
- Around line 42-45: The securityHeaders configuration in next.config.ts still
sets X-XSS-Protection to 1; mode=block, which is deprecated. Update the header
entry in the security headers array to disable it with 0 or remove the
X-XSS-Protection header entirely, relying on the existing CSP instead; use the
securityHeaders configuration block to locate the change.
- Around line 38-41: The Strict-Transport-Security header in the Next.js config
is currently sending a preload commitment, which is too aggressive unless every
subdomain is fully HTTPS-ready. Update the header definition in next.config.ts
so the HSTS policy is shipped without preload first, keeping the max-age and
other settings aligned with your deployment readiness, and only add preload
later once all subdomains are verified. Use the existing header entry under the
security headers config to make this change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 9d3f6713-f0ce-43c5-819d-bd6e123e3d8b
📒 Files selected for processing (1)
frontend/next.config.ts
| "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", | ||
| "img-src 'self' data: https: blob:", | ||
| "font-src 'self' https://fonts.gstatic.com", | ||
| "connect-src 'self' https://*.supabase.co https://gateway.pinata.cloud https://*.ipfs.dweb.link https://horizon.stellar.org https://horizon-testnet.stellar.org https://rpc-futurenet.stellar.org wss://*.supabase.co", |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Find RPC / Horizon / Soroban endpoints referenced in the frontend to cross-check against connect-src.
rg -nP --type=ts --type=tsx -e 'https?://[a-zA-Z0-9.-]*stellar\.org' -e 'soroban' -e 'rpcUrl|RPC_URL|networkUrl|horizonUrl' frontend || \
rg -nP -e 'https?://[a-zA-Z0-9.-]*stellar\.org' -e 'soroban' frontendRepository: soumen0818/ACREDIA-STELLAR
Length of output: 2409
🏁 Script executed:
#!/bin/bash
sed -n '1,120p' frontend/src/lib/stellar.ts
sed -n '1,80p' frontend/next.config.tsRepository: soumen0818/ACREDIA-STELLAR
Length of output: 4361
🏁 Script executed:
#!/bin/bash
sed -n '1,120p' frontend/src/lib/stellar.ts
sed -n '1,80p' frontend/next.config.tsRepository: soumen0818/ACREDIA-STELLAR
Length of output: 4361
Add Soroban RPC hosts to connect-src. frontend/src/lib/stellar.ts uses https://soroban-testnet.stellar.org by default (and https://soroban-mainnet.stellar.org for mainnet), but frontend/next.config.ts only allows https://rpc-futurenet.stellar.org. That will block the default testnet on-chain calls under CSP.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@frontend/next.config.ts` at line 16, The CSP in next.config.ts is missing the
Soroban RPC hosts used by frontend/src/lib/stellar.ts, so default on-chain calls
can be blocked. Update the connect-src directive alongside the existing Stellar
hosts to include both soroban-testnet.stellar.org and
soroban-mainnet.stellar.org, keeping the current rpc-futurenet entry as well.
Hey, you just added a file; please analyse the issue very carefully and then update accordingly. Then create a fresh PR. |
Fixes #91
Closes #91
Summary by CodeRabbit