Skip to content

fix(security): CSP report-only and security headers #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gabitoesmiapodo wants to merge 2 commits into
base: fix/seo
Choose a base branch
from
Open

fix(security): CSP report-only and security headers #424

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d8cb437
fix(security): add CSP report-only header and security headers
gabitoesmiapodo Mar 23, 2026
c03c5cb
Merge branch 'fix/seo' into fix/security
gabitoesmiapodo Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions vercel.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,27 @@
{
"headers": [
{
"source": "/(.*)",
"headers": [
{
"key": "Content-Security-Policy-Report-Only",
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report"
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

report-uri /csp-report points to an endpoint that doesn’t appear to exist in the repo, and the current catch-all SPA rewrite (/(.*) -> /) will also rewrite /csp-report to /. As a result, CSP violation reports won’t be received/processed, which defeats the stated purpose of this PR. Consider either (a) implementing a real report ingestion endpoint (e.g., a Vercel Function) and exempting it from the rewrite, or (b) sending reports to an external HTTPS endpoint instead of a rewritten path.

Suggested change
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report"
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri https://csp-report.example.com/report"

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CSP is extremely permissive for a report-only rollout (script-src includes 'unsafe-inline' and 'unsafe-eval', and connect-src allows any https:/wss:). With those allowances, many important violations won’t be reported, making the collected data much less actionable when switching to enforced mode. For the report-only phase, it’s usually better to start from a stricter baseline and add exceptions based on real violations.

Suggested change
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report"
"value": "default-src 'self'; script-src 'self' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://va.vercel-scripts.com; frame-ancestors 'none'; report-uri /csp-report"

Copilot uses AI. Check for mistakes.
},
{
Comment on lines +8 to +10
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

report-uri is deprecated in favor of report-to / Reporting-Endpoints. If you’re adding CSP reporting infrastructure now, consider switching to the newer reporting directives (and adding the corresponding Report-To/Reporting-Endpoints header) to avoid having to migrate later.

Suggested change
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report"
},
{
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-to csp-endpoint"
},
{
"key": "Report-To",
"value": "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"/csp-report\"}]}"
},
{

Copilot uses AI. Check for mistakes.
"key": "X-Content-Type-Options",
"value": "nosniff"
},
{
"key": "X-Frame-Options",
"value": "DENY"
},
{
"key": "Referrer-Policy",
"value": "strict-origin-when-cross-origin"
}
]
}
],
"rewrites": [
{
"source": "/(.*)",
Expand Down
Loading