fix(security): add content security policy

[jeanduplessis]

Summary

Code-related pentest M3 CSP finding is addressed with a global CSP builder, CSP report-only by default, Sentry security-policy reporting, and explicit allowlists for known production integrations.

M3: Global Content Security Policy

• Adds a shared CSP builder and applies CSP globally from proxy.ts, while preserving existing magic-link no-cache/noindex headers.
• Adds CSP_MODE=enforce|report-only|off rollout control. Default is report-only; report-only emits Content-Security-Policy-Report-Only; enforce emits Content-Security-Policy; off skips CSP and reporting headers.
• Sends CSP violation reports to Sentry via report-uri, report-to, Report-To, and Reporting-Endpoints, deriving the security endpoint from NEXT_PUBLIC_SENTRY_DSN.
• Adds required connect-src entries for Sentry ingest and explicit Gastown WebSocket origins derived from NEXT_PUBLIC_GASTOWN_URL.
• Serves GTM and Impact bootstrap scripts from same-origin API routes instead of inline root-layout scripts, avoiding headers() in the root layout and avoiding site-wide dynamic rendering for CSP.
• Adds known production integration sources for Stripe, Stytch/login domains, PostHog, Turnstile, Pylon, Churnkey, app-builder previews, YouTube embeds, lottie fallback hosts, Gravatar, OpenRouter icons, and app websocket/connect origins.
• Removes directive-specific CSP_ADDITIONAL_* env override support because changing env still requires redeployment.
• Keeps script-src 'unsafe-inline' and style-src 'unsafe-inline' for Next.js static App Router compatibility and runtime styles. This is weaker than nonce-only CSP but avoids breaking hydration or forcing every route dynamic.

Verification

N/A

Visual Changes

N/A

Reviewer Notes

• CSP now defaults to report-only, so violations should be reported without blocking browser loads/actions unless CSP_MODE=enforce is explicitly set.
• Recommended rollout: deploy with the default report-only mode, inspect Sentry CSP reports and browser console violations, then switch to CSP_MODE=enforce after validating core flows.
• If production breaks after enforcement, set CSP_MODE=off or return to report-only and redeploy; no hot CSP allowlist override remains.
• Rollout watchpoints: Pylon support widget, Churnkey cancel flow, Stripe SCA/checkout, Turnstile, GTM/Impact/PostHog event volume, Gastown websocket traffic, and Sentry CSP report ingestion.
• GTM can still inject tags configured outside the repo. Those hosts must be added to code before enforcement if reports show violations.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• apps/web/src/lib/security-headers.test.ts
• apps/web/src/lib/security-headers.ts

---

_{Reviewed by gpt-5.5-2026-04-23 · 674,061 tokens}