fix: Add comprehensive security headers to prevent phishing detection

- Added Strict-Transport-Security (HSTS) with preload to next.config.js and vercel.json
- Implemented Content-Security-Policy (CSP) to restrict resource loading
- Added X-Frame-Options, X-XSS-Protection, X-Content-Type-Options headers
- Configured Referrer-Policy and Permissions-Policy
- Should help resolve Chrome Safe Browsing phishing warning

Author: josegomez-dev

next.config.js

@@ -5,6 +5,57 @@ const nextConfig = {
   compress: true,
   generateEtags: false,
 
+  // Security headers to prevent phishing and malware detection
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=63072000; includeSubDomains; preload'
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff'
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY'
+          },
+          {
+            key: 'X-XSS-Protection',
+            value: '1; mode=block'
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin'
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=()'
+          },
+          {
+            key: 'Content-Security-Policy',
+            value: [
+              "default-src 'self'",
+              "script-src 'self' 'unsafe-eval' 'unsafe-inline' https://apis.google.com https://www.gstatic.com",
+              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+              "font-src 'self' https://fonts.gstatic.com data:",
+              "img-src 'self' data: https: blob:",
+              "connect-src 'self' https://horizon-testnet.stellar.org https://horizon.stellar.org https://www.googleapis.com https://identitytoolkit.googleapis.com https://securetoken.googleapis.com wss://horizon-testnet.stellar.org wss://horizon.stellar.org",
+              "frame-src 'self' https://*.youtube.com https://www.youtube.com",
+              "base-uri 'self'",
+              "form-action 'self'",
+              "frame-ancestors 'none'",
+              "upgrade-insecure-requests"
+            ].join('; ')
+          }
+        ]
+      }
+    ]
+  },
+
   // ESLint configuration - ignore during builds to prevent warnings from failing CI
   eslint: {
     // Ignore ESLint during builds - run linting separately in CI

vercel.json

@@ -15,6 +15,10 @@
     {
       "source": "/(.*)",
       "headers": [
+        {
+          "key": "Strict-Transport-Security",
+          "value": "max-age=63072000; includeSubDomains; preload"
+        },
         {
           "key": "X-Content-Type-Options",
           "value": "nosniff"
@@ -26,6 +30,14 @@
         {
           "key": "X-XSS-Protection",
           "value": "1; mode=block"
+        },
+        {
+          "key": "Referrer-Policy",
+          "value": "strict-origin-when-cross-origin"
+        },
+        {
+          "key": "Permissions-Policy",
+          "value": "camera=(), microphone=(), geolocation=()"
         }
       ]
     }