From 08382ff4a167ae8e702ec49962cb4502e0871c77 Mon Sep 17 00:00:00 2001 From: DanielS Date: Thu, 25 Jun 2026 17:20:27 +0200 Subject: [PATCH] sec: Add form-action to CSP and remove duplicate HSTS header based on ZAP report --- .gitignore | 1 + shop/next.config.ts | 6 +----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index b94ee01..ef2b3dd 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ example_data/ shop/Leitfaden .gitignore db-access.txt +2026-06-25-ZAP-Report-.json diff --git a/shop/next.config.ts b/shop/next.config.ts index f3d41f1..88d01a0 100644 --- a/shop/next.config.ts +++ b/shop/next.config.ts @@ -17,13 +17,9 @@ const nextConfig: NextConfig = { key: 'X-Content-Type-Options', value: 'nosniff', }, - { - key: 'Strict-Transport-Security', - value: 'max-age=31536000; includeSubDomains; preload', - }, { key: 'Content-Security-Policy', - value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self' data:; connect-src 'self' https://*.supabase.co wss://*.supabase.co https://*.supabase.net wss://*.supabase.net; frame-ancestors 'self';", + value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self' data:; connect-src 'self' https://*.supabase.co wss://*.supabase.co https://*.supabase.net wss://*.supabase.net; frame-ancestors 'self'; form-action 'self';", }, ], },