From d8cb43757a1a272d98811bca71b1e8768506e420 Mon Sep 17 00:00:00 2001
From: Gabito Esmiapodo <4015436+gabitoesmiapodo@users.noreply.github.com>
Date: Mon, 23 Mar 2026 18:42:04 -0300
Subject: [PATCH 1/2] fix(security): add CSP report-only header and security
 headers

- Add Content-Security-Policy-Report-Only via vercel.json headers
  to capture violations without breaking existing functionality
- Add X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers
---
 vercel.json | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/vercel.json b/vercel.json
index 408821b1..a28b45f2 100644
--- a/vercel.json
+++ b/vercel.json
@@ -1,4 +1,27 @@
 {
+  "headers": [
+    {
+      "source": "/(.*)",
+      "headers": [
+        {
+          "key": "Content-Security-Policy-Report-Only",
+          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report"
+        },
+        {
+          "key": "X-Content-Type-Options",
+          "value": "nosniff"
+        },
+        {
+          "key": "X-Frame-Options",
+          "value": "DENY"
+        },
+        {
+          "key": "Referrer-Policy",
+          "value": "strict-origin-when-cross-origin"
+        }
+      ]
+    }
+  ],
   "rewrites": [
     {
       "source": "/(.*)",

From c35e0ffaf3844001457aa0e5900719dce2563d0a Mon Sep 17 00:00:00 2001
From: Gabito Esmiapodo <4015436+gabitoesmiapodo@users.noreply.github.com>
Date: Mon, 30 Mar 2026 16:01:11 -0300
Subject: [PATCH 2/2] fix(security): remove broken report-uri from CSP header

---
 vercel.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vercel.json b/vercel.json
index a28b45f2..44f7f0aa 100644
--- a/vercel.json
+++ b/vercel.json
@@ -5,7 +5,7 @@
       "headers": [
         {
           "key": "Content-Security-Policy-Report-Only",
-          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'; report-uri /csp-report"
+          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https: wss:; frame-ancestors 'none'"
         },
         {
           "key": "X-Content-Type-Options",