From 10c87f8fb360d7f7ff59c290331dce07bfbd2cca Mon Sep 17 00:00:00 2001
From: Cho Young-Hwi <cyh76507707@gmail.com>
Date: Thu, 2 Apr 2026 10:57:42 +0100
Subject: [PATCH 1/2] [#745] Add CSP headers allowing WalletConnect and
 Farcaster domains

Adds Content-Security-Policy via next.config.ts headers:
- connect-src/default-src: allows https/wss for WalletConnect relay,
  Supabase, Alchemy, Farcaster SDK, and other external services
- frame-ancestors: allows Farcaster and Base app embedding
- Permissive for https: to avoid breaking existing integrations
  while establishing a baseline CSP

Fixes #745

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 next.config.ts | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/next.config.ts b/next.config.ts
index e9ffa308..14369c93 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,7 +1,28 @@
 import type { NextConfig } from "next";
 
 const nextConfig: NextConfig = {
-  /* config options here */
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: [
+              "default-src 'self' https: wss: data: blob:",
+              "script-src 'self' 'unsafe-eval' 'unsafe-inline' https:",
+              "style-src 'self' 'unsafe-inline' https:",
+              "img-src 'self' data: blob: https: http:",
+              "font-src 'self' data: https:",
+              "connect-src 'self' https: wss:",
+              "frame-src 'self' https:",
+              "frame-ancestors 'self' https://*.farcaster.xyz https://*.warpcast.com https://base.org https://*.base.org",
+            ].join("; "),
+          },
+        ],
+      },
+    ];
+  },
 };
 
 export default nextConfig;

From 0237abc2db60c7fe192786ca25fc5d01ae6a11c1 Mon Sep 17 00:00:00 2001
From: Cho Young-Hwi <cyh76507707@gmail.com>
Date: Thu, 2 Apr 2026 11:01:33 +0100
Subject: [PATCH 2/2] [#745] Tighten CSP: whitelist specific domains instead of
 blanket https:

Whitelists specific domains for connect-src:
- WalletConnect (*.walletconnect.com/org, web3modal, pulse)
- RPC providers (base.org, publicnode, drpc, llamarpc, etc.)
- Supabase (*.supabase.co)
- Farcaster/Neynar (api.neynar.com, fc.hunt.town, *.farcaster.xyz)
- Price APIs (coingecko, geckoterminal, quotient, twitterapi)
- IPFS (ipfs.filebase.io, ipfs.io, s3.filebase.com)

Removes blanket https:/wss: from default-src and connect-src.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 next.config.ts | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/next.config.ts b/next.config.ts
index 14369c93..5e9d4894 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -9,13 +9,29 @@ const nextConfig: NextConfig = {
           {
             key: "Content-Security-Policy",
             value: [
-              "default-src 'self' https: wss: data: blob:",
-              "script-src 'self' 'unsafe-eval' 'unsafe-inline' https:",
-              "style-src 'self' 'unsafe-inline' https:",
-              "img-src 'self' data: blob: https: http:",
-              "font-src 'self' data: https:",
-              "connect-src 'self' https: wss:",
-              "frame-src 'self' https:",
+              "default-src 'self'",
+              "script-src 'self' 'unsafe-eval' 'unsafe-inline'",
+              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+              "img-src 'self' data: blob: https:",
+              "font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com",
+              [
+                "connect-src 'self'",
+                // WalletConnect
+                "https://*.walletconnect.com wss://*.walletconnect.com https://*.walletconnect.org wss://*.walletconnect.org https://api.web3modal.com https://pulse.walletconnect.org",
+                // RPC providers
+                "https://mainnet.base.org https://sepolia.base.org https://base-rpc.publicnode.com https://base.drpc.org https://base.llamarpc.com https://base.meowrpc.com https://base-mainnet.public.blastapi.io https://1rpc.io https://base.gateway.tenderly.co https://rpc.notadegen.com https://base.blockpi.network https://developer-access-mainnet.base.org https://base.api.onfinality.io",
+                // Supabase
+                "https://*.supabase.co",
+                // Farcaster & social
+                "https://api.neynar.com https://fc.hunt.town https://*.farcaster.xyz",
+                // Price & reputation
+                "https://api.coingecko.com https://api.geckoterminal.com https://api.quotient.social https://api.twitterapi.io",
+                // IPFS & storage
+                "https://ipfs.filebase.io https://ipfs.io https://s3.filebase.com",
+                // Vercel analytics
+                "https://va.vercel-scripts.com",
+              ].join(" "),
+              "frame-src 'self' https://*.walletconnect.com https://*.farcaster.xyz",
               "frame-ancestors 'self' https://*.farcaster.xyz https://*.warpcast.com https://base.org https://*.base.org",
             ].join("; "),
           },