security: remove unsafe-eval CSP, fix host header injection, harden API routes

- Remove unsafe-eval from script-src CSP (not needed in production)
- Replace Host/Origin header fallback with NEXT_PUBLIC_APP_URL in share
  and checkout routes to prevent host header injection
- Add .catch() to request.json() in share POST and PATCH routes
- Add rate limiting (3/min) to account deletion endpoint

1 files changed, 7 insertions, 3 deletions

diff --git a/apps/web/app/api/billing/create-checkout-session/route.ts b/apps/web/app/api/billing/create-checkout-session/route.ts
index d165cbc..4eaa08c 100644
--- a/apps/web/app/api/billing/create-checkout-session/route.ts
+++ b/apps/web/app/api/billing/create-checkout-session/route.ts
@@ -1,5 +1,4 @@
 import { NextResponse } from "next/server"
-import { headers } from "next/headers"
 import { createSupabaseServerClient } from "@/lib/supabase/server"
 import { createSupabaseAdminClient } from "@/lib/supabase/admin"
 import { getStripe } from "@/lib/stripe"
@@ -129,8 +128,13 @@ export async function POST(request: Request) {
     }
   }
 
-  const headersList = await headers()
-  const origin = headersList.get("origin") || "http://localhost:3000"
+  const origin = process.env.NEXT_PUBLIC_APP_URL?.replace(/\/$/, "")
+  if (!origin) {
+    return NextResponse.json(
+      { error: "application URL is not configured" },
+      { status: 500 }
+    )
+  }
 
   const checkoutSession = await getStripe().checkout.sessions.create({
     customer: stripeCustomerIdentifier,