Skip to content

feat: add CSP, security headers middleware, and CORS hardening#451

Merged
PRODHOSH merged 1 commit into
PRODHOSH:mainfrom
DebasmitaBose0:feat/418-security-hardening
Jul 14, 2026
Merged

feat: add CSP, security headers middleware, and CORS hardening#451
PRODHOSH merged 1 commit into
PRODHOSH:mainfrom
DebasmitaBose0:feat/418-security-hardening

Conversation

@DebasmitaBose0

Copy link
Copy Markdown
Contributor

Closes #418

  • Content Security Policy (CSP):

default-src: Restricted to 'self'.
script-src / style-src: Configured with 'self' and 'unsafe-inline' / 'unsafe-eval' to allow Next.js hydration and framework internals.
img-src: Allowed sources include 'self', data:, blob:, https://avatars.githubusercontent.com, and https://github.com.
connect-src: Authorized to communicate with 'self', https://api.github.com, and https://github.com.
frame-src / object-src / frame-ancestors: Set to 'none' to prevent clickjacking and object injections.

  • HTTP Security Headers:

Strict-Transport-Security (HSTS): Enforces HTTPS connections (max-age=63072000; includeSubDomains; preload).
X-Frame-Options: Set to DENY to protect against clickjacking.
X-Content-Type-Options: Set to nosniff to mitigate MIME-type sniffing.
X-XSS-Protection: Explicitly disabled (0) in favor of modern CSP protection.
Referrer-Policy: Configured to strict-origin-when-cross-origin.
Permissions-Policy: Restricts browser features (camera=(), microphone=(), geolocation=()).

  • CORS Hardening:

Configures standard CORS headers for requests hitting /api/* endpoints (Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Max-Age).

  • Exclusion Logic:

Automatically bypasses Next.js internal endpoints (_next/), static assets (favicon, manifest), and the service worker (sw.js) to avoid runtime delivery issues.
Verification & Testing Plan

  • Manual Verification
  1. Verify Development Mode: Run npm run dev and navigate to the application.
  2. Inspect Response Headers: Open Chrome DevTools -> Network tab, click on any document response, and verify the presence of the security headers:
  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
  1. Verify API CORS Headers: Make a request to any /api/* route and verify the inclusion of CORS headers
  2. Ensure Static Asset Bypassing: Check requests for favicon.ico or /sw.js and verify they do not contain the CSP headers or show routing problems.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@DebasmitaBose0, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 39 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6138f0b0-b059-42c9-8f95-8924cd70e1d2

📥 Commits

Reviewing files that changed from the base of the PR and between 294511e and 3a72b45.

📒 Files selected for processing (1)
  • src/middleware.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

Welcome to OSSfolio, @DebasmitaBose0! 🎉

Thank you for opening this pull request and contributing to the open-source community! 🚀

To ensure a smooth review process, please make sure you have:

  • Checked that your changes work locally and compile cleanly.
  • Followed the guidelines outlined in CONTRIBUTING.md.
  • Linked your PR to an open issue (e.g. Closes #ISSUE_NUMBER).

We will review your PR as soon as possible. Happy coding! 💻✨

@PRODHOSH

Copy link
Copy Markdown
Owner

@DebasmitaBose0 thanks for contributing to the ossfolio

Since ur new its fine, but ur supposed to use the exact PR template given from here on
Next up, Please read the CONTRIBUTING.md and #19

And for any kind of doubts or queries u can tag me here or join the discord from #34
and star the repo

Im also adding u to the contributors list in the readme

@all-contributors add @DebasmitaBose0 for code, docs

Thanks!!

@allcontributors

Copy link
Copy Markdown
Contributor

@PRODHOSH

I've put up a pull request to add @DebasmitaBose0! 🎉

@PRODHOSH PRODHOSH self-requested a review July 14, 2026 03:06
@PRODHOSH PRODHOSH added ELUSOC ELUSOC project submission completed ADVENTURER Intermediate — 25 pts labels Jul 14, 2026
@PRODHOSH PRODHOSH merged commit 5c4867a into PRODHOSH:main Jul 14, 2026
10 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

🎉 Your PR just got merged, @DebasmitaBose0 — thank you for contributing to OSSfolio!

Your work is now part of the project. Here's what to do next:

  • ⭐ If you haven't already, consider giving the repo a star — it helps us grow.
  • 📢 Share your contribution on LinkedIn, Twitter, or wherever you hang out. You shipped open source!
  • 🔍 Browse other open issues if you want to keep contributing.

We really appreciate you taking the time. See you in the next PR! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ADVENTURER Intermediate — 25 pts completed ELUSOC ELUSOC project submission

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[ELUSOC] Security Hardening — Helmet CSP & CORS

2 participants