Skip to content

security: Add Content Security Policy and security headers #146

Description

@Austinaminu2

Description

The app currently doesn't set Content Security Policy (CSP) or other security headers. As a financial application handling token transfers, it should have defense-in-depth against XSS and injection attacks.

Proposed Headers

Header Value Purpose
Content-Security-Policy default-src 'self'; script-src 'self'; connect-src 'self' https://*.stellar.org Restrict resource loading
X-Content-Type-Options nosniff Prevent MIME sniffing
X-Frame-Options DENY Prevent clickjacking
Referrer-Policy strict-origin-when-cross-origin Limit referrer leakage
Permissions-Policy camera=(), microphone=(), geolocation=() Disable unused APIs

Acceptance Criteria

  • Add security headers via next.config.mjs headers() configuration
  • CSP allows Stellar RPC endpoints and Freighter wallet extension
  • CSP doesn't break inline styles from Tailwind or shadcn/ui (use nonces or hashes if needed)
  • Verify headers are present in production build responses
  • Test that the app functions correctly with all headers enabled

Metadata

Metadata

Assignees

No one assigned

    Labels

    devopsCI/CD and infrastructurefrontendNext.js frontendsecuritySecurity improvements

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions