From 442740939e5a8c7822ccb3ad6bfe3926b04fb7c9 Mon Sep 17 00:00:00 2001
From: Joel Brock <joelbrock@gmail.com>
Date: Sat, 9 May 2026 21:51:28 -0700
Subject: [PATCH] Allow CSP unsafe-eval in dev only (Next.js HMR); production
 stays strict

---
 next.config.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/next.config.ts b/next.config.ts
index a22d142..03e59f8 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -14,12 +14,18 @@ import type { NextConfig } from "next";
  *     other origins via the Referer header.
  *   - X-Content-Type-Options: prevents MIME sniffing.
  */
+// Next.js React dev runtime uses dynamic-script execution for fast-refresh,
+// error overlays, and source-map reconstruction. Permit that ONLY in dev so
+// HMR works; production CSP stays strict (no dynamic execution allowed).
+const isDev = process.env.NODE_ENV !== "production";
+const devOnlyDynamicScript = isDev ? " 'unsafe-eval'" : "";
+
 const securityHeaders = [
   {
     key: "Content-Security-Policy",
     value: [
       "default-src 'self'",
-      "script-src 'self' 'unsafe-inline'",
+      `script-src 'self' 'unsafe-inline'${devOnlyDynamicScript}`,
       "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
       "font-src 'self' https://fonts.gstatic.com data:",
       "img-src 'self' data:",