feat: add CSP, security headers middleware, and CORS hardening#451
Conversation
|
Warning Review limit reached
Next review available in: 39 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Welcome to OSSfolio, @DebasmitaBose0! 🎉Thank you for opening this pull request and contributing to the open-source community! 🚀 To ensure a smooth review process, please make sure you have:
We will review your PR as soon as possible. Happy coding! 💻✨ |
|
@DebasmitaBose0 thanks for contributing to the ossfolio Since ur new its fine, but ur supposed to use the exact PR template given from here on And for any kind of doubts or queries u can tag me here or join the discord from #34 Im also adding u to the contributors list in the readme @all-contributors add @DebasmitaBose0 for code, docs Thanks!! |
|
I've put up a pull request to add @DebasmitaBose0! 🎉 |
|
🎉 Your PR just got merged, @DebasmitaBose0 — thank you for contributing to OSSfolio! Your work is now part of the project. Here's what to do next:
We really appreciate you taking the time. See you in the next PR! 🚀 |
Closes #418
default-src: Restricted to 'self'.
script-src / style-src: Configured with 'self' and 'unsafe-inline' / 'unsafe-eval' to allow Next.js hydration and framework internals.
img-src: Allowed sources include 'self', data:, blob:, https://avatars.githubusercontent.com, and https://github.com.
connect-src: Authorized to communicate with 'self', https://api.github.com, and https://github.com.
frame-src / object-src / frame-ancestors: Set to 'none' to prevent clickjacking and object injections.
Strict-Transport-Security (HSTS): Enforces HTTPS connections (max-age=63072000; includeSubDomains; preload).
X-Frame-Options: Set to DENY to protect against clickjacking.
X-Content-Type-Options: Set to nosniff to mitigate MIME-type sniffing.
X-XSS-Protection: Explicitly disabled (0) in favor of modern CSP protection.
Referrer-Policy: Configured to strict-origin-when-cross-origin.
Permissions-Policy: Restricts browser features (camera=(), microphone=(), geolocation=()).
Configures standard CORS headers for requests hitting /api/* endpoints (Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Max-Age).
Automatically bypasses Next.js internal endpoints (_next/), static assets (favicon, manifest), and the service worker (sw.js) to avoid runtime delivery issues.
Verification & Testing Plan