Skip to content

feat(security): add baseline security response headers#18

Merged
Manuel10i merged 1 commit into
mainfrom
feat/security-headers
Jul 5, 2026
Merged

feat(security): add baseline security response headers#18
Manuel10i merged 1 commit into
mainfrom
feat/security-headers

Conversation

@Manuel10i

Copy link
Copy Markdown
Owner

What

The site currently responds with none of the common security headers. This adds a conservative baseline via next.config.ts headers(), applied to every route:

Header Value
Strict-Transport-Security max-age=63072000; includeSubDomains; preload
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy strict-origin-when-cross-origin
Permissions-Policy camera=(), microphone=(), geolocation=(), browsing-topics=()

Verified there is no navigator.geolocation / getUserMedia usage in src/, so denying those features is safe.

Deliberately out of scope: CSP

No Content-Security-Policy in this PR. A correct CSP for this app has to account for the inline theme script (dangerouslySetInnerHTML), Google Fonts, Analytics, Turnstile and the map tile provider. Getting that wrong silently breaks rendering, so it deserves a dedicated PR built and tested against the running app rather than a guess shipped here.

Verify

  • npx tsc --noEmit and eslint next.config.ts pass.
  • After deploy: curl -sI https://packedplaces.com | grep -i strict-transport should show the HSTS header.

Third of the SEO/security cleanup sweep (see #16 metadataBase/OG images, #17 canonicals/hreflang).

The site shipped none of the common security headers. Add a conservative
set via next.config headers(), applied to every route: HSTS (2y,
includeSubDomains, preload), X-Content-Type-Options: nosniff,
X-Frame-Options: SAMEORIGIN, Referrer-Policy:
strict-origin-when-cross-origin, and a Permissions-Policy denying camera,
microphone, geolocation and browsing-topics (none are used by the app;
verified no navigator.geolocation/getUserMedia usage).

No Content-Security-Policy yet: a correct policy for the inline theme
script, Google Fonts, Analytics, Turnstile and map tiles needs to be built
and tested against the running app, so it is left as a dedicated follow-up
rather than shipped as a guess that could break rendering.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Manuel10i Manuel10i merged commit cf141be into main Jul 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant