security: add CSP and HSTS headers to vercel.json

2026-04-20 17:10:01 +09:00 · 2026-04-20 17:10:01 +09:00 · f0d38cc287
parent 0ad6e8fb22
commit f0d38cc287
1 changed files with 27 additions and 10 deletions
--- a/vercel.json
+++ b/vercel.json
@ -1,14 +1,31 @@
 {
-    "rewrites": [
-        { "source": "/api/(.*)", "destination": "/api/$1" }
-    ],
-    "headers": [
+  "rewrites": [
+    {
+      "source": "/api/(.*)",
+      "destination": "/api/$1"
+    }
+  ],
+  "headers": [
+    {
+      "source": "/(.*)",
+      "headers": [
        {
-            "source": "/(.*)",
-            "headers": [
-                { "key": "X-Content-Type-Options", "value": "nosniff" },
-                { "key": "X-Frame-Options", "value": "DENY" }
-            ]
+          "key": "X-Content-Type-Options",
+          "value": "nosniff"
+        },
+        {
+          "key": "X-Frame-Options",
+          "value": "DENY"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://unpkg.com https://cdn.jsdelivr.net https://esm.sh; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; media-src 'self' https:; connect-src 'self' https://api.soar-enrich.com wss://api.soar-enrich.com https:; worker-src 'self'; frame-ancestors 'none';"
+        },
+        {
+          "key": "Strict-Transport-Security",
+          "value": "max-age=31536000; includeSubDomains"
        }
-    ]
+      ]
+    }
+  ]
 }