Skip to content

fix(web): add HTTP security headers to all responses#1407

Merged
msukkari merged 4 commits into
mainfrom
michael/security-headers-SOU-1466
Jul 1, 2026
Merged

fix(web): add HTTP security headers to all responses#1407
msukkari merged 4 commits into
mainfrom
michael/security-headers-SOU-1466

Conversation

@msukkari

@msukkari msukkari commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1466

Summary by CodeRabbit

  • Bug Fixes
    • Added security-related HTTP response headers to all web app pages, including protections for framing, content sniffing, transport security, referrer handling, and device access.
    • Strengthened response security with a content policy that limits where the app can be embedded.

msukkari and others added 2 commits June 30, 2026 20:28
Addresses the missing HTTP security headers finding by setting HSTS,
X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
Permissions-Policy, and a frame-ancestors CSP on all responses via the
Next.js headers() config.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bf314634-1bda-47b8-b655-54bd7ad35864

📥 Commits

Reviewing files that changed from the base of the PR and between 5466592 and 738cdf4.

📒 Files selected for processing (1)
  • CHANGELOG.md

Walkthrough

Adds an async headers() function to nextConfig in packages/web/next.config.mjs that applies HTTP security headers to all routes, and adds a changelog entry documenting the change.

Changes

Security Headers Configuration

Layer / File(s) Summary
Add headers() hook and changelog entry
packages/web/next.config.mjs, CHANGELOG.md
Adds a headers() function returning HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and CSP frame-ancestors headers for all routes, and adds a corresponding Fixed entry to the changelog.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding HTTP security headers to all web responses.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch michael/security-headers-SOU-1466

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

brendan-kellam
brendan-kellam previously approved these changes Jul 1, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 29: The changelog entry has mismatched PR metadata: the visible pull
request id and the linked URL point to different PRs. Update the markdown link
in the CHANGELOG entry so the displayed `#<id>` and the `pull/<id>` target use
the same correct PR number, following the existing
`[#<id>](https://github.com/sourcebot-dev/sourcebot/pull/<id>)` format.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: add0a45d-490c-46ec-a746-6e0c9e483f66

📥 Commits

Reviewing files that changed from the base of the PR and between ff4b389 and 5466592.

📒 Files selected for processing (2)
  • CHANGELOG.md
  • packages/web/next.config.mjs

Comment thread CHANGELOG.md Outdated
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@msukkari msukkari merged commit 3e4548c into main Jul 1, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants