Implement security headers middleware (CSP, X-Frame-Options, etc.)

[cursor]

Description

The audit report identified missing security headers middleware. Currently, the application does not set important security headers like Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, etc.

Context

Security audit findings:

• No middleware.ts file for security headers
• No Content-Security-Policy
• No X-Frame-Options
• No X-Content-Type-Options
• No HTTPS redirection

Requirements

1. Create Next.js Middleware

   • Create middleware.ts in project root
   • Implement security headers
   • Configure CSP policy

2. Security Headers to Add

   • Content-Security-Policy
   • X-Frame-Options: DENY
   • X-Content-Type-Options: nosniff
   • Referrer-Policy: strict-origin-when-cross-origin
   • Permissions-Policy

3. HTTPS Enforcement

   • Redirect HTTP to HTTPS in production
   • HSTS header

Acceptance Criteria

• middleware.ts created with security headers
• All headers properly configured
• CSP policy defined and tested
• HTTPS redirection working
• Headers verified in production

Related

• Audit Report: PR Project audit and review #63
• Audit Finding: Security section - Missing headers

Priority

High - Security critical