From e67cb09ee182dadd6965158f708860657c3c657c Mon Sep 17 00:00:00 2001
From: Master Preshy <masterpreshy1@gmail.com>
Date: Sat, 11 Apr 2026 22:32:22 +0100
Subject: [PATCH] fix: add missing security headers to web app

Add the following security headers to address security assessment findings:
- Content-Security-Policy: Prevent XSS and injection attacks
- Strict-Transport-Security: Prevent protocol downgrade attacks
- X-XSS-Protection: Enable browser XSS filtering
- Permissions-Policy: Restrict browser feature access (camera, mic, etc.)

Fixes #1

Signed-off-by: PairUX Bot

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---
 apps/web/next.config.ts | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/apps/web/next.config.ts b/apps/web/next.config.ts
index cd3872f..10f1fad 100644
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -48,6 +48,24 @@ const nextConfig: NextConfig = {
             key: 'Referrer-Policy',
             value: 'strict-origin-when-cross-origin',
           },
+          {
+            key: 'Content-Security-Policy',
+            value:
+              "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; media-src 'self' blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; base-uri 'self'; form-action 'self';",
+          },
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=31536000; includeSubDomains',
+          },
+          {
+            key: 'X-XSS-Protection',
+            value: '1; mode=block',
+          },
+          {
+            key: 'Permissions-Policy',
+            value:
+              'camera=(self), microphone=(self), geolocation=(), payment=(), usb=(), display-capture=(self)',
+          },
         ],
       },
     ];