From b2238f31015452ecd2bb8c292f2bfaf8ec96b753 Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Wed, 25 Feb 2026 20:36:43 +0100
Subject: [PATCH] fix: gate unsafe-eval to dev, drop redundant X-Frame-Options,
 document PKCE+state

- CSP script-src 'unsafe-eval' is now dev-only; Next.js HMR needs it in
  development but the production standalone build does not
- Remove X-Frame-Options: DENY since frame-ancestors 'none' in CSP supersedes
  it in all modern browsers; keeping both creates a maintenance hazard
- Add comment explaining why state check is added alongside PKCE default

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 next.config.mjs | 9 +++++++--
 src/lib/auth.ts | 1 +
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/next.config.mjs b/next.config.mjs
index 7566b4d1..16190507 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -9,18 +9,23 @@ const nextConfig = {
   },
   output: 'standalone',
   async headers() {
+    const isDev = process.env.NODE_ENV === "development";
     return [
       {
+        // Applied to all routes; API routes get no-op CSP but benefit from other headers
         source: "/(.*)",
         headers: [
           { key: "X-Content-Type-Options", value: "nosniff" },
-          { key: "X-Frame-Options", value: "DENY" },
+          // X-Frame-Options omitted: frame-ancestors in CSP supersedes it in all modern browsers
           { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
           {
             key: "Content-Security-Policy",
             value: [
               "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",  // Next.js requires unsafe-inline/eval in dev
+              // unsafe-eval/unsafe-inline required only for Next.js HMR in development
+              isDev
+                ? "script-src 'self' 'unsafe-inline' 'unsafe-eval'"
+                : "script-src 'self' 'unsafe-inline'",
               "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
               "font-src 'self' https://fonts.gstatic.com",
               "img-src 'self' data: blob:",
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index facac821..78e55f6d 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -89,6 +89,7 @@ function createOAuthProviders(): OAuthConfig<any>[] {
       authorization: config.oauth.authorizationUrl ?? undefined,
       token: config.oauth.tokenUrl ?? undefined,
       userinfo: config.oauth.userinfoUrl ?? undefined,
+      // PKCE is the default for OIDC; state is added as defence-in-depth
       checks: ["pkce", "state"],
       profile(profile) {
         return {