From b8f85326ed28b0768bb236dddde238aabb8ea791 Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Mon, 20 Apr 2026 17:09:21 +0900
Subject: [PATCH] security: add CSP and HSTS headers to vercel.json

---
 vercel.json | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/vercel.json b/vercel.json
index 4058d28..0faaff3 100644
--- a/vercel.json
+++ b/vercel.json
@@ -27,6 +27,14 @@
         {
           "key": "Referrer-Policy",
           "value": "strict-origin-when-cross-origin"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://cdn.jsdelivr.net https://esm.sh; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; media-src 'self' https:; connect-src 'self' https://api.soar-enrich.com wss://api.soar-enrich.com https:; worker-src 'self'; frame-ancestors 'none';"
+        },
+        {
+          "key": "Strict-Transport-Security",
+          "value": "max-age=31536000; includeSubDomains"
         }
       ]
     }