Skip to content

Replace CSP unsafe-inline with a nonce for the theme pre-paint script #85

Description

@mikewheeleer

Tighten the script CSP by nonce-ing the inline theme script

Description

src/lib/securityHeaders.ts builds a CSP that currently allows script-src 'unsafe-inline' (and unsafe-eval in dev), which is required only because src/app/layout.tsx injects an inline theme pre-paint script via dangerouslySetInnerHTML. unsafe-inline defeats much of the XSS protection a CSP provides. This issue replaces it with a per-request nonce.

Requirements and context

  • Repository scope: Agentpay-Org/Agentpay-frontend only.
  • Generate a per-request nonce (via src/middleware.ts or the header builder), add it to script-src 'nonce-…', and drop unsafe-inline from script-src.
  • Apply the same nonce to the inline theme script in src/app/layout.tsx so it still executes before paint.
  • Keep style-src working for the next/font Geist setup and preserve all other directives in src/lib/securityHeaders.ts.
  • Document the nonce flow and any dev/prod differences.

Suggested execution

  • Fork the repo and create a branch
  • git checkout -b security/config-csp-nonce
  • Implement changes
  • Test and commit

Test and commit

  • Run npm run lint, npm run typecheck, npm test, and npm run build.
  • Cover edge cases: dev vs prod CSP, missing nonce path, and font/style loading.
  • Include the npm test output and a curl -I header dump from npm run start.

Example commit message

fix(security): nonce the inline theme script and drop script-src unsafe-inline

Guidelines

  • Minimum 95 percent test coverage for the policy builder.
  • Clear, reviewer-focused documentation.
  • Timeframe: 96 hours.

Community & contribution rewards

  • 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
  • ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

Metadata

Metadata

Assignees

No one assigned
    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions