security: remove unsafe-eval CSP, fix host header injection, harden API routes

- Remove unsafe-eval from script-src CSP (not needed in production) - Replace Host/Origin header fallback with NEXT_PUBLIC_APP_URL in share and checkout routes to prevent host header injection - Add .catch() to request.json() in share POST and PATCH routes - Add rate limiting (3/min) to account deletion endpoint
author: Fuwn <[email protected]> 2026-02-07 05:35:28 -0800
committer: Fuwn <[email protected]> 2026-02-07 05:35:28 -0800
commit: c4b2813cc07a72ad7186347a2e003c01cf0d4fb0 (patch)
tree: ef9e2991084139e649dc7f6d3ada0795789a55f0 /apps/web/next.config.ts
parent: fix: dynamically calculate detail panel equal split from current layout (diff)
download: asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.tar.xz
asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/web/next.config.ts b/apps/web/next.config.ts
index f580efd..4d35ae1 100644
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -23,7 +23,7 @@ const securityHeaders = [
     key: "Content-Security-Policy",
     value: [
       "default-src 'self'",
-      "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com",
+      "script-src 'self' 'unsafe-inline' https://va.vercel-scripts.com",
       "style-src 'self' 'unsafe-inline'",
       "img-src 'self' data: https: http:",
       "font-src 'self'",
author	Fuwn <[email protected]>	2026-02-07 05:35:28 -0800
committer	Fuwn <[email protected]>	2026-02-07 05:35:28 -0800
commit	c4b2813cc07a72ad7186347a2e003c01cf0d4fb0 (patch)
tree	ef9e2991084139e649dc7f6d3ada0795789a55f0 /apps/web/next.config.ts
parent	fix: dynamically calculate detail panel equal split from current layout (diff)
download	asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.tar.xz asa.news-c4b2813cc07a72ad7186347a2e003c01cf0d4fb0.zip