Skip to content

Production readiness: security headers, global-error boundary, JSON-LD, strict TS, CI scanning#5

Draft
Copilot wants to merge 2 commits into
mainfrom
copilot/audit-production-readiness
Draft

Production readiness: security headers, global-error boundary, JSON-LD, strict TS, CI scanning#5
Copilot wants to merge 2 commits into
mainfrom
copilot/audit-production-readiness

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 19, 2026
edited
Loading

Addresses five gaps identified in the production readiness audit: missing HTTP security headers, no root-level error boundary, absent JSON-LD structured data, incomplete TypeScript strictness, and no dependency vulnerability scanning in CI.

Security headers (next.config.ts)

Applied to all routes via headers():

  • Strict-Transport-Security (2yr + preload), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy (camera/mic/geolocation/browsing-topics off)
  • CSP with 'unsafe-inline' (required by Next.js/Tailwind) but no unsafe-eval; frame-ancestors, base-uri, and form-action locked to 'self'

Global error boundary (src/app/global-error.tsx) — new file

Next.js requires a separate global-error.tsx with its own <html>/<body> wrapper to catch crashes in the root layout — error.tsx alone doesn't cover that layer. Uses inline styles since Tailwind is unavailable at this boundary; logs via useEffect.

JSON-LD structured data

  • Root layout: Person schema (name, URL, sameAs, jobTitle, email)
  • Blog post page: BlogPosting schema (headline, description, dates, author, image)

Both use .replace(/</g, "\\u003c") on the serialized JSON to prevent </script> breakout from user-entered content:

<script
  type="application/ld+json"
  dangerouslySetInnerHTML={{
    __html: JSON.stringify(schema).replace(/</g, "\\u003c"),
  }}
/>

TypeScript: noUncheckedIndexedAccess (tsconfig.json, src/lib/markdown.ts)

Enabled noUncheckedIndexedAccess: true. Fixed the two surfaced errors in markdown.ts — regex capture groups match[1]/match[2] are now null-coalesced before use.

CI dependency scanning (.github/workflows/ci.yml)

Added bun audit immediately after install. continue-on-error: true for initial rollout — remove once any flagged advisories are resolved.

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web-dev-blogsite Ready Ready Preview, Comment Mar 19, 2026 0:43am

@JevonThompsonx
feat: production readiness improvements - security headers, global-er…
448837e 
…ror, JSON-LD, strict TypeScript, CI scanning

Co-authored-by: JevonThompsonx <104575457+JevonThompsonx@users.noreply.github.com>
Copilot AI changed the title [WIP] Perform production readiness audit Production readiness: security headers, global-error boundary, JSON-LD, strict TS, CI scanning Mar 19, 2026
Copilot AI requested a review from JevonThompsonx March 19, 2026 00:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JevonThompsonx JevonThompsonx Awaiting requested review from JevonThompsonx

Assignees

@JevonThompsonx JevonThompsonx

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JevonThompsonx