From f065c970dcd1f73ba0676c29e900ee92ff42aa52 Mon Sep 17 00:00:00 2001
From: Sajan Ghimire <122589374+54J4N@users.noreply.github.com>
Date: Sat, 10 Jan 2026 19:35:20 +0545
Subject: [PATCH] fix(security): eliminate proxy/SSRF vulnerability and add
 comprehensive security headers

The previous `next.config.ts` contained unsafe rewrite rules that created an unauthenticated proxy/SSRF vulnerability:

```typescript
// REMOVED - Security risk
rewrites: async function rewrites() {
  return [
    {
      source: '/api/:path*',
      destination: 'https://opensource.microsoft.com/api/:path*',
    },
    {
      source: '/avatars/:path*',
      destination: 'https://opensource.microsoft.com/avatars/:path*',
    },
  ]
}
---
 next.config.ts | 46 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 14 deletions(-)

diff --git a/next.config.ts b/next.config.ts
index 9e6eef0af..8defa4cfd 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -7,24 +7,42 @@ import type { NextConfig } from 'next';
 
 const isProduction = process.env.NODE_ENV === 'production';
 
-const nextConfig: NextConfig = isProduction ? {
+const nextConfig: NextConfig = {
   output: 'export',
   trailingSlash: true,
-} : {};
-
-if (!isProduction) {
-  nextConfig.rewrites = async function rewrites() {
+  async headers() {
     return [
       {
-        source: '/api/:path*',
-        destination: 'https://opensource.microsoft.com/api/:path*',
-      },
-      {
-        source: '/avatars/:path*',
-        destination: 'https://opensource.microsoft.com/avatars/:path*',
-      },
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff'
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY'
+          },
+          {
+            key: 'X-XSS-Protection',
+            value: '1; mode=block'
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin'
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=()'
+          },
+          {
+            key: 'Content-Security-Policy',
+            value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
+          }
+        ]
+      }
     ]
-  };
-}
+  }
+};
 
 export default nextConfig;