Production hardening: CSP, rate limit, env validation, health gating, Render blueprint, DEPLOYMENT.md

next.config.ts

@@ -1,7 +1,51 @@
 import type { NextConfig } from "next";
 
+/**
+ * Security headers applied to every response.
+ *
+ * Notes on each:
+ *   - CSP: tight default; allows Google Fonts (next/font) and the same-origin
+ *     /api routes. No third-party scripts. `frame-ancestors 'none'` prevents
+ *     this app being embedded in another site's iframe.
+ *   - HSTS: only meaningful behind HTTPS (Render terminates TLS, so this is
+ *     correct in production).
+ *   - Permissions-Policy: drop everything we don't use.
+ *   - Referrer-Policy: same-origin — never leak the cid+cs query string to
+ *     other origins via the Referer header.
+ *   - X-Content-Type-Options: prevents MIME sniffing.
+ */
+const securityHeaders = [
+  {
+    key: "Content-Security-Policy",
+    value: [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-inline'",
+      "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+      "font-src 'self' https://fonts.gstatic.com data:",
+      "img-src 'self' data:",
+      "connect-src 'self'",
+      "frame-ancestors 'none'",
+      "form-action 'self'",
+      "base-uri 'self'",
+      "object-src 'none'",
+    ].join("; "),
+  },
+  { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
+  { key: "X-Content-Type-Options", value: "nosniff" },
+  { key: "Referrer-Policy", value: "same-origin" },
+  {
+    key: "Permissions-Policy",
+    value: "camera=(), microphone=(), geolocation=(), interest-cohort=()",
+  },
+  { key: "X-Frame-Options", value: "DENY" },
+];
+
 const nextConfig: NextConfig = {
-  /* config options here */
+  poweredByHeader: false,
+  reactStrictMode: true,
+  async headers() {
+    return [{ source: "/:path*", headers: securityHeaders }];
+  },
 };
 
 export default nextConfig;