Harden the app with a Content-Security-Policy and security response headers
Description
next.config.ts only sets reactStrictMode and the app sends no security headers — no Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, or X-Frame-Options. Given the dashboard renders backend-provided event payloads in src/app/events/page.tsx, a baseline CSP materially reduces XSS blast radius. This issue adds headers.
Requirements and context
- Repository scope: StableRoute-Org/Stableroute-frontend only.
- Add a
headers() function in next.config.ts (or a src/middleware.ts) setting Content-Security-Policy, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and X-Frame-Options: DENY / frame-ancestors 'none'.
- The CSP must allow the configured
NEXT_PUBLIC_STABLEROUTE_API_BASE in connect-src and Next.js's required script-src/style-src for the App Router; document any unsafe-inline compromise.
- Do not break local dev (
http://localhost:3001 API base) or production builds.
- Keep the policy readable (a small builder) and documented.
Suggested execution
- Fork the repo and create a branch
git checkout -b security/headers-20-csp- Implement changes
- Write code in:
next.config.ts or create src/middleware.ts.
- Write comprehensive tests in: create a unit test for the header/CSP builder (e.g.
src/lib/__tests__/securityHeaders.test.ts) asserting required directives.
- Add documentation: document the CSP and how to extend
connect-src in README.md.
- Add JSDoc to the policy builder.
- Validate the CSP does not block the API base or Next runtime.
- Test and commit
Test and commit
- Run
npm run lint, npm test, and npm run build, then verify headers with curl -I against npm run dev.
- Cover edge cases: custom API base in
connect-src, dev vs prod, and missing env fallback.
- Include the full header dump and
npm test output in the PR description.
Example commit message
security: add CSP and hardening response headers via next config
Guidelines
- Minimum 95 percent test coverage for impacted modules.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Harden the app with a Content-Security-Policy and security response headers
Description
next.config.tsonly setsreactStrictModeand the app sends no security headers — no Content-Security-Policy,X-Content-Type-Options,Referrer-Policy, orX-Frame-Options. Given the dashboard renders backend-provided event payloads insrc/app/events/page.tsx, a baseline CSP materially reduces XSS blast radius. This issue adds headers.Requirements and context
headers()function innext.config.ts(or asrc/middleware.ts) settingContent-Security-Policy,X-Content-Type-Options: nosniff,Referrer-Policy: strict-origin-when-cross-origin, andX-Frame-Options: DENY/frame-ancestors 'none'.NEXT_PUBLIC_STABLEROUTE_API_BASEinconnect-srcand Next.js's requiredscript-src/style-srcfor the App Router; document anyunsafe-inlinecompromise.http://localhost:3001API base) or production builds.Suggested execution
git checkout -b security/headers-20-cspnext.config.tsor createsrc/middleware.ts.src/lib/__tests__/securityHeaders.test.ts) asserting required directives.connect-srcinREADME.md.Test and commit
npm run lint,npm test, andnpm run build, then verify headers withcurl -Iagainstnpm run dev.connect-src, dev vs prod, and missing env fallback.npm testoutput in the PR description.Example commit message
security: add CSP and hardening response headers via next configGuidelines
Community & contribution rewards