p0-h1-csp-header

donetype/backlogpriority/p0severity/hightopic/authtopic/headers

p0 · H1 · Content-Security-Policy header

TL;DR

CSP policy added in next.config.mjs headers(). Default: Content-Security-Policy-Report-Only; CSP_ENFORCE=true switches to enforcing header. Shipped as Phase D step 2.

Status: done (2026-05-24, code) · Source: [[Projects/personal-finance-notion/context/audit-2026-05-17-auth|Auth audit 2026-05-17 §H1]]

Shipped (app repo)

buildContentSecurityPolicy() — default-src, script/style, img (incl. Google avatars), connect-src (OpenRouter, Resend), frame-ancestors, form-action
Dev: unsafe-eval, ws: / wss: for Turbopack HMR
.env.example documents CSP_ENFORCE

Spun out

[[Projects/personal-finance-notion/backlog/p2-csp-enforce-production|p2 · CSP enforce on production]] — staging soak + flip CSP_ENFORCE=true

App repo: next.config.mjs, .env.example

p0-h1-csp-header

p0 · H1 · Content-Security-Policy header

TL;DR

Shipped (app repo)

Spun out

Related