akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: gate unsafe-eval to dev, drop redundant X-Frame-Options, document PKCE+state

Browse Source 
- CSP script-src 'unsafe-eval' is now dev-only; Next.js HMR needs it in
  development but the production standalone build does not
- Remove X-Frame-Options: DENY since frame-ancestors 'none' in CSP supersedes
  it in all modern browsers; keeping both creates a maintenance hazard
- Add comment explaining why state check is added alongside PKCE default

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-02-25 20:36:43 +01:00
parent b5b15c2496
commit b2238f3101
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/lib/auth.ts
+1
View File
@@ -89,6 +89,7 @@ function createOAuthProviders(): OAuthConfig<any>[] {
authorization: config.oauth.authorizationUrl ?? undefined,
token: config.oauth.tokenUrl ?? undefined,
userinfo: config.oauth.userinfoUrl ?? undefined,
// PKCE is the default for OIDC; state is added as defence-in-depth
checks: ["pkce", "state"],
profile(profile) {
return {