Skip to content

core: implement CSP headers and security hardening #27

Open
Open
core: implement CSP headers and security hardening#27
Labels
corehardsecurityweb
@EmeditWeb

Description

@EmeditWeb
EmeditWeb
opened on Jun 15, 2026

Problem

The web app has no Content Security Policy headers.
It is vulnerable to XSS and clickjacking.

What To Build

  1. Add security headers via vercel.json (CSP, XFO, etc)
  2. Sanitize all user-generated content with DOMPurify
  3. HTTPS enforcement
  4. Audit localStorage usage
  5. Subresource Integrity for CDN assets

Files To Touch

  • vercel.json
  • src/services/api.ts
  • Any components rendering user content

Acceptance Criteria

  • CSP headers present in production
  • No XSS vectors in user content rendering
  • HTTPS enforced
  • npm run build passes

Mandatory Checks Before PR

  • npm run build passes
  • Security headers verified in browser devtools
  • PR references this issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    corehardsecurityweb

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions