--- issue: 083 title: "Frontend: no Content-Security-Policy header in Next.js config" severity: medium domain: Security labels: [security, frontend, csp] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: no Content-Security-Policy header in Next.js config **Severity:** medium **Domain:** Security **Labels:** security, frontend, csp ## Description `next.config.ts:29` does not set a `Content-Security-Policy` header. Without CSP, XSS attacks have unrestricted script execution, making token theft (localStorage) and DOM-based attacks much easier. ## Options 1. Ship `Content-Security-Policy-Report-Only` first to collect violations, then enforce — safe rollout. 2. Enforce a moderate CSP allowing required hosts (Telegram, WalletConnect, Mapbox, Sentry) with nonces for inline scripts. 3. Strict CSP with nonces and removal of all inline scripts — strongest but requires refactoring `layout.tsx` inline scripts. ## Recommendation Ship `Content-Security-Policy-Report-Only` first, gather violations for a week, then enforce. Inline scripts in `layout.tsx` must move to nonces. Non-trivial rollout. ## Affected Files - `frontend/next.config.ts:29` - `frontend/src/app/layout.tsx` — inline scripts that need nonces ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-8