From af55159b3e3149c2d135eca82bbf339a26f3df5c Mon Sep 17 00:00:00 2001 From: flashboy Date: Mon, 26 Jan 2026 12:48:58 -0500 Subject: [PATCH 1/7] Add security headers to frontend --- frontend/next.config.ts | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/frontend/next.config.ts b/frontend/next.config.ts index 15185ac..b256287 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -10,6 +10,33 @@ const nextConfig: NextConfig = { }, ], }, + async headers() { + return [ + { + source: '/(.*)', + headers: [ + { key: 'X-Content-Type-Options', value: 'nosniff' }, + { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }, + { key: 'Permissions-Policy', value: 'geolocation=(), microphone=(), camera=()' }, + { key: 'X-Frame-Options', value: 'DENY' }, + { + key: 'Content-Security-Policy', + value: [ + "default-src 'self'", + "script-src 'self' 'unsafe-inline' 'unsafe-eval'", + "style-src 'self' 'unsafe-inline'", + "img-src 'self' data: https://raw.githubusercontent.com", + "font-src 'self'", + "connect-src 'self' wss://monode-mainnet.monadinfra.com https://*.vercel-insights.com https://*.vercel-analytics.com", + "frame-ancestors 'none'", + "base-uri 'self'", + "form-action 'self'", + ].join('; '), + }, + ], + }, + ] + }, } export default nextConfig From 52686f1687d95e70d7a2e2b877e690f2efd6c832 Mon Sep 17 00:00:00 2001 From: flashboy Date: Mon, 26 Jan 2026 12:58:31 -0500 Subject: [PATCH 2/7] rm unsafe directives --- frontend/.env.example | 2 +- frontend/next.config.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/frontend/.env.example b/frontend/.env.example index efef0d3..ffc2e5b 100644 --- a/frontend/.env.example +++ b/frontend/.env.example @@ -3,4 +3,4 @@ NEXT_PUBLIC_EVENTS_WS_URL="wss://:" # BlockVision Pro API key for Monad mainnet contract metadata lookups # Get your API key from https://docs.blockvision.org/ -BLOCKVISION_API_KEY="your-api-key-here" +BLOCKVISION_API_KEY="your-api-key-here" \ No newline at end of file diff --git a/frontend/next.config.ts b/frontend/next.config.ts index b256287..958e91f 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -23,8 +23,8 @@ const nextConfig: NextConfig = { key: 'Content-Security-Policy', value: [ "default-src 'self'", - "script-src 'self' 'unsafe-inline' 'unsafe-eval'", - "style-src 'self' 'unsafe-inline'", + "script-src 'self'", + "style-src 'self'", "img-src 'self' data: https://raw.githubusercontent.com", "font-src 'self'", "connect-src 'self' wss://monode-mainnet.monadinfra.com https://*.vercel-insights.com https://*.vercel-analytics.com", From 7b0a1cf8c4a1a22867a0e23b1932ae0222834dc8 Mon Sep 17 00:00:00 2001 From: flashboy Date: Mon, 26 Jan 2026 13:01:11 -0500 Subject: [PATCH 3/7] re-add unsafe directives, staging backend url --- frontend/next.config.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/frontend/next.config.ts b/frontend/next.config.ts index 958e91f..28146e9 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -23,11 +23,11 @@ const nextConfig: NextConfig = { key: 'Content-Security-Policy', value: [ "default-src 'self'", - "script-src 'self'", - "style-src 'self'", + "script-src 'self' 'unsafe-inline' 'unsafe-eval'", + "style-src 'self' 'unsafe-inline'", "img-src 'self' data: https://raw.githubusercontent.com", "font-src 'self'", - "connect-src 'self' wss://monode-mainnet.monadinfra.com https://*.vercel-insights.com https://*.vercel-analytics.com", + "connect-src 'self' wss://monode-mainnet.monadinfra.com wss://execution-events-backend-example.molandak.org https://*.vercel-insights.com https://*.vercel-analytics.com", "frame-ancestors 'none'", "base-uri 'self'", "form-action 'self'", From c834ff9011e5f29440c6d24a70851386d004de68 Mon Sep 17 00:00:00 2001 From: flashboy Date: Mon, 26 Jan 2026 17:24:25 -0500 Subject: [PATCH 4/7] fix json format --- frontend/next.config.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/frontend/next.config.ts b/frontend/next.config.ts index 28146e9..dc1c789 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -17,7 +17,10 @@ const nextConfig: NextConfig = { headers: [ { key: 'X-Content-Type-Options', value: 'nosniff' }, { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }, - { key: 'Permissions-Policy', value: 'geolocation=(), microphone=(), camera=()' }, + { + key: 'Permissions-Policy', + value: 'geolocation=(), microphone=(), camera=()' + }, { key: 'X-Frame-Options', value: 'DENY' }, { key: 'Content-Security-Policy', From a779c8b5e3657b74bc363aca7ae22222ac21a019 Mon Sep 17 00:00:00 2001 From: flashboy Date: Mon, 26 Jan 2026 17:26:36 -0500 Subject: [PATCH 5/7] add trailing comma --- frontend/next.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/next.config.ts b/frontend/next.config.ts index dc1c789..0b71e26 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -19,7 +19,7 @@ const nextConfig: NextConfig = { { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' }, { key: 'Permissions-Policy', - value: 'geolocation=(), microphone=(), camera=()' + value: 'geolocation=(), microphone=(), camera=()', }, { key: 'X-Frame-Options', value: 'DENY' }, { From b5a2b7c92a35a9a881f0185c44aadcbf7966ca65 Mon Sep 17 00:00:00 2001 From: Madhur Gupta Date: Thu, 29 Jan 2026 06:59:25 +0000 Subject: [PATCH 6/7] chore(frontend): improve CSP per Next.js docs --- frontend/next.config.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/frontend/next.config.ts b/frontend/next.config.ts index 0b71e26..14f4afc 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -1,5 +1,7 @@ import type { NextConfig } from 'next' +const isDev = process.env.NODE_ENV === 'development' + const nextConfig: NextConfig = { images: { remotePatterns: [ @@ -26,14 +28,16 @@ const nextConfig: NextConfig = { key: 'Content-Security-Policy', value: [ "default-src 'self'", - "script-src 'self' 'unsafe-inline' 'unsafe-eval'", + `script-src 'self' 'unsafe-inline' https://va.vercel-scripts.com${isDev ? " 'unsafe-eval'" : ''}`, "style-src 'self' 'unsafe-inline'", "img-src 'self' data: https://raw.githubusercontent.com", "font-src 'self'", - "connect-src 'self' wss://monode-mainnet.monadinfra.com wss://execution-events-backend-example.molandak.org https://*.vercel-insights.com https://*.vercel-analytics.com", + "connect-src 'self' wss://monode-mainnet.monadinfra.com wss://execution-events-backend-example.molandak.org", "frame-ancestors 'none'", + "object-src 'none'", "base-uri 'self'", "form-action 'self'", + "upgrade-insecure-requests", ].join('; '), }, ], From ee1ca2077a41b7d65aec9848e323c7fd6d026a2a Mon Sep 17 00:00:00 2001 From: Madhur Gupta Date: Thu, 29 Jan 2026 07:01:36 +0000 Subject: [PATCH 7/7] style(frontend): standardize quotes for upgrade-insecure-requests header --- frontend/next.config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/next.config.ts b/frontend/next.config.ts index 14f4afc..d62f6da 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -37,7 +37,7 @@ const nextConfig: NextConfig = { "object-src 'none'", "base-uri 'self'", "form-action 'self'", - "upgrade-insecure-requests", + 'upgrade-insecure-requests', ].join('; '), }, ],