Description
The app currently doesn't set Content Security Policy (CSP) or other security headers. As a financial application handling token transfers, it should have defense-in-depth against XSS and injection attacks.
Proposed Headers
| Header |
Value |
Purpose |
Content-Security-Policy |
default-src 'self'; script-src 'self'; connect-src 'self' https://*.stellar.org |
Restrict resource loading |
X-Content-Type-Options |
nosniff |
Prevent MIME sniffing |
X-Frame-Options |
DENY |
Prevent clickjacking |
Referrer-Policy |
strict-origin-when-cross-origin |
Limit referrer leakage |
Permissions-Policy |
camera=(), microphone=(), geolocation=() |
Disable unused APIs |
Acceptance Criteria
Description
The app currently doesn't set Content Security Policy (CSP) or other security headers. As a financial application handling token transfers, it should have defense-in-depth against XSS and injection attacks.
Proposed Headers
Content-Security-Policydefault-src 'self'; script-src 'self'; connect-src 'self' https://*.stellar.orgX-Content-Type-OptionsnosniffX-Frame-OptionsDENYReferrer-Policystrict-origin-when-cross-originPermissions-Policycamera=(), microphone=(), geolocation=()Acceptance Criteria
next.config.mjsheaders()configuration