fix: gate unsafe-eval to dev, drop redundant X-Frame-Options, document PKCE+state

- CSP script-src 'unsafe-eval' is now dev-only; Next.js HMR needs it in development but the production standalone build does not - Remove X-Frame-Options: DENY since frame-ancestors 'none' in CSP supersedes it in all modern browsers; keeping both creates a maintenance hazard - Add comment explaining why state check is added alongside PKCE default Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-25 20:36:43 +01:00
parent b5b15c2496
commit b2238f3101
2 changed files with 8 additions and 2 deletions
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -9,18 +9,23 @@ const nextConfig = {
  },
  output: 'standalone',
  async headers() {
+    const isDev = process.env.NODE_ENV === "development";
    return [
      {
+        // Applied to all routes; API routes get no-op CSP but benefit from other headers
        source: "/(.*)",
        headers: [
          { key: "X-Content-Type-Options", value: "nosniff" },
-          { key: "X-Frame-Options", value: "DENY" },
+          // X-Frame-Options omitted: frame-ancestors in CSP supersedes it in all modern browsers
          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
          {
            key: "Content-Security-Policy",
            value: [
              "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",  // Next.js requires unsafe-inline/eval in dev
+              // unsafe-eval/unsafe-inline required only for Next.js HMR in development
+              isDev
+                ? "script-src 'self' 'unsafe-inline' 'unsafe-eval'"
+                : "script-src 'self' 'unsafe-inline'",
              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
              "font-src 'self' https://fonts.gstatic.com",
              "img-src 'self' data: blob:",