Skip to content

feat: enforce strict CSP with per-request nonces#111

Merged
WhiteMuush merged 7 commits into
mainfrom
feat/strict-csp
Jul 11, 2026
Merged

feat: enforce strict CSP with per-request nonces#111
WhiteMuush merged 7 commits into
mainfrom
feat/strict-csp

Conversation

@WhiteMuush

Copy link
Copy Markdown
Owner

Enforcing Content-Security-Policy on every HTML page: per-request nonce with strict-dynamic (official App Router pattern), built by the vitest-covered src/lib/csp.ts, wired in src/middleware.ts (nonce forwarded via request headers so Next stamps its inline scripts). Matcher widened to cover /login; authorized callback allows exactly /login and /login/ subpaths. API routes stay excluded (self-guarded via apiAuth). style-src keeps unsafe-inline (Tailwind/chart libs), documented trade-off. Verified: nonce rotates per request, auth redirects intact, zero console violations across the app including PDF export. Closes the strict CSP production-readiness item.

@WhiteMuush WhiteMuush merged commit 918085b into main Jul 11, 2026
11 checks passed
@WhiteMuush WhiteMuush deleted the feat/strict-csp branch July 11, 2026 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant