fix(security): CSP report-only and security headers#424
fix(security): CSP report-only and security headers#424gabitoesmiapodo wants to merge 2 commits intofix/seofrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Adds security-related response headers at the Vercel edge to begin monitoring Content Security Policy violations (in Report-Only mode) and to set several baseline hardening headers for all routes.
Changes:
- Configure
Content-Security-Policy-Report-Onlyfor all paths viavercel.json. - Add
X-Content-Type-Options,X-Frame-Options, andReferrer-Policyheaders globally.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "headers": [ | ||
| { | ||
| "key": "Content-Security-Policy-Report-Only", | ||
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report" |
There was a problem hiding this comment.
report-uri /csp-report points to an endpoint that doesn’t appear to exist in the repo, and the current catch-all SPA rewrite (/(.*) -> /) will also rewrite /csp-report to /. As a result, CSP violation reports won’t be received/processed, which defeats the stated purpose of this PR. Consider either (a) implementing a real report ingestion endpoint (e.g., a Vercel Function) and exempting it from the rewrite, or (b) sending reports to an external HTTPS endpoint instead of a rewritten path.
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report" | |
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri https://csp-report.example.com/report" |
| "headers": [ | ||
| { | ||
| "key": "Content-Security-Policy-Report-Only", | ||
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report" |
There was a problem hiding this comment.
This CSP is extremely permissive for a report-only rollout (script-src includes 'unsafe-inline' and 'unsafe-eval', and connect-src allows any https:/wss:). With those allowances, many important violations won’t be reported, making the collected data much less actionable when switching to enforced mode. For the report-only phase, it’s usually better to start from a stricter baseline and add exceptions based on real violations.
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report" | |
| "value": "default-src 'self'; script-src 'self' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://va.vercel-scripts.com; frame-ancestors 'none'; report-uri /csp-report" |
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report" | ||
| }, | ||
| { |
There was a problem hiding this comment.
report-uri is deprecated in favor of report-to / Reporting-Endpoints. If you’re adding CSP reporting infrastructure now, consider switching to the newer reporting directives (and adding the corresponding Report-To/Reporting-Endpoints header) to avoid having to migrate later.
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report" | |
| }, | |
| { | |
| "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-to csp-endpoint" | |
| }, | |
| { | |
| "key": "Report-To", | |
| "value": "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/csp-report\"}]}" | |
| }, | |
| { |
gabitoesmiapodo
force-pushed
the
fix/security
branch
from
8d78386 to
70507c5
Compare
gabitoesmiapodo
force-pushed
the
fix/seo
branch
from
87c9de1 to
080d617
Compare
gabitoesmiapodo
force-pushed
the
fix/seo
branch
from
080d617 to
5957e47
Compare
gabitoesmiapodo
force-pushed
the
fix/security
branch
from
70507c5 to
08acfa1
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gabitoesmiapodo
force-pushed
the
fix/seo
branch
from
5957e47 to
e8d3651
Compare
gabitoesmiapodo
force-pushed
the
fix/security
branch
from
08acfa1 to
3a38be8
Compare
- Add Content-Security-Policy-Report-Only via vercel.json headers to capture violations without breaking existing functionality - Add X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers
gabitoesmiapodo
force-pushed
the
fix/seo
branch
from
e8d3651 to
d0c83c8
Compare
gabitoesmiapodo
force-pushed
the
fix/security
branch
from
3a38be8 to
d8cb437
Compare
Summary
Content-Security-Policy-Report-Onlyheader viavercel.jsonto capture violations without breaking the appX-Content-Type-Options,X-Frame-Options,Referrer-PolicyheadersTest plan
pnpm testpasses