Add Content-Security-Policy and security headers to Vercel deployment

[Copilot]

Critical security issue: CSP header not set on https://pcstyle.dev, leaving the site vulnerable to XSS and data injection attacks.

Changes

• CSP header configured in vercel.json with whitelisted domains:

  • Scripts: cdn.tailwindcss.com, esm.sh
  • Styles: fonts.googleapis.com, cdn.tailwindcss.com
  • Fonts: fonts.gstatic.com
  • Images: og.pcstyle.dev
  • Includes frame-ancestors 'none', base-uri 'self', form-action 'self'

• Additional security headers:

  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()

Implementation

{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        {
          "key": "Content-Security-Policy",
          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://esm.sh; ..."
        }
      ]
    }
  ]
}

Note: unsafe-inline and unsafe-eval required for Tailwind CDN. Migrating to build-time Tailwind would eliminate this but requires architecture changes beyond scope.

Original prompt

91

Critical

Content Security Policy (CSP) header not set

We found 1 issue: last detected 15 hours ago

New

Surface Monitoring

TL;DR

Content Security Policy (CSP) is a first line of defense against common attacks including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft via account takeovers to site defacement or distribution of malware. CSP config allows you to declare what content can be loaded and executed via a standard HTTP header. You can whitelist JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

How do I fix it?

Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header. More information

Subissues

1

URL

https://pcstyle.dev

https://pcstyle.dev

Critical

Actions

• Add task
• Snooze
• Ignore
• Adjust severity

fix pls.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Summary by cubic

Adds a Content Security Policy (CSP) and standard security headers to harden the app. The policy whitelists our CDNs (Tailwind, Google Fonts, esm.sh, og.pcstyle.dev) so fonts/icons load consistently without regressions.

• New Features
  • CSP with safe defaults: default-src 'self'; script/style/img/font/connect directives; frame-ancestors 'none'; base-uri 'self'; form-action 'self'.
  • Added security headers: X-Frame-Options=DENY, X-Content-Type-Options=nosniff, Referrer-Policy=strict-origin-when-cross-origin, Permissions-Policy (camera/microphone/geolocation disabled).

^{Written for commit af57eff. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pcstyledev	Error		Feb 3, 2026 6:30pm