Tighten the script CSP by nonce-ing the inline theme script
Description
src/lib/securityHeaders.ts builds a CSP that currently allows script-src 'unsafe-inline' (and unsafe-eval in dev), which is required only because src/app/layout.tsx injects an inline theme pre-paint script via dangerouslySetInnerHTML. unsafe-inline defeats much of the XSS protection a CSP provides. This issue replaces it with a per-request nonce.
Requirements and context
- Repository scope: Agentpay-Org/Agentpay-frontend only.
- Generate a per-request nonce (via
src/middleware.ts or the header builder), add it to script-src 'nonce-…', and drop unsafe-inline from script-src.
- Apply the same nonce to the inline theme script in
src/app/layout.tsx so it still executes before paint.
- Keep
style-src working for the next/font Geist setup and preserve all other directives in src/lib/securityHeaders.ts.
- Document the nonce flow and any dev/prod differences.
Suggested execution
- Fork the repo and create a branch
git checkout -b security/config-csp-nonce
- Implement changes
- Test and commit
Test and commit
- Run
npm run lint, npm run typecheck, npm test, and npm run build.
- Cover edge cases: dev vs prod CSP, missing nonce path, and font/style loading.
- Include the
npm test output and a curl -I header dump from npm run start.
Example commit message
fix(security): nonce the inline theme script and drop script-src unsafe-inline
Guidelines
- Minimum 95 percent test coverage for the policy builder.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Tighten the script CSP by nonce-ing the inline theme script
Description
src/lib/securityHeaders.tsbuilds a CSP that currently allowsscript-src 'unsafe-inline'(andunsafe-evalin dev), which is required only becausesrc/app/layout.tsxinjects an inline theme pre-paint script viadangerouslySetInnerHTML.unsafe-inlinedefeats much of the XSS protection a CSP provides. This issue replaces it with a per-request nonce.Requirements and context
src/middleware.tsor the header builder), add it toscript-src 'nonce-…', and dropunsafe-inlinefromscript-src.src/app/layout.tsxso it still executes before paint.style-srcworking for thenext/fontGeist setup and preserve all other directives insrc/lib/securityHeaders.ts.Suggested execution
git checkout -b security/config-csp-noncesrc/lib/securityHeaders.ts,src/middleware.ts(new if needed), andsrc/app/layout.tsx.src/__tests__/securityHeaders.test.ts— assertscript-srccontains a nonce placeholder and nounsafe-inline.README.md.Test and commit
npm run lint,npm run typecheck,npm test, andnpm run build.npm testoutput and acurl -Iheader dump fromnpm run start.Example commit message
fix(security): nonce the inline theme script and drop script-src unsafe-inlineGuidelines
Community & contribution rewards