Skip to content

Added security headers to prevent clickjacking on sign in #1067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Klakurka wants to merge 1 commit into from
Closed

Added security headers to prevent clickjacking on sign in #1067

Klakurka wants to merge 1 commit into from

Conversation

@Klakurka
Copy link
Member

@Klakurka Klakurka commented Oct 16, 2025
edited by coderabbitai bot
Loading

Description

Reported via contact email

Test plan

Forwarded separately.

Summary by CodeRabbit

  • Chores
    • Enhanced security configuration to prevent unauthorized embedding of the application in external frames, strengthening protection against potential clickjacking attacks.

@Klakurka Klakurka requested a review from chedieck October 16, 2025 22:54
@Klakurka Klakurka self-assigned this Oct 16, 2025
@Klakurka Klakurka added bug Something isn't working enhancement (behind the scenes) Stuff that users won't see labels Oct 16, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 16, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

Walkthrough

A new async headers() function is added to next.config.js that applies security HTTP headers to all routes. The function sets X-Frame-Options to SAMEORIGIN and Content-Security-Policy with frame-ancestors 'self' for all paths.

Changes

Cohort / File(s) Change Summary
Security headers configuration
next.config.js		 Added async headers() function to export that applies X-Frame-Options: SAMEORIGIN and Content-Security-Policy: frame-ancestors 'self' headers to all routes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A rabbit hops through headers with glee,
Securing the frame for all eyes to see,
X-Frame-Options stand guard at the gate,
CSP whispers: "Self only, no freight!"
One little function, so simple, so sweet,
Makes clickjacking threats face retreat. 🛡️

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fx/clickjacking-on-signin
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 55e10cb and aa8263c.

📒 Files selected for processing (1)
  • next.config.js (1 hunks)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Klakurka Klakurka closed this Oct 16, 2025
@Klakurka Klakurka deleted the fx/clickjacking-on-signin branch October 16, 2025 22:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chedieck chedieck Awaiting requested review from chedieck

Assignees

@Klakurka Klakurka

Labels

bug Something isn't working enhancement (behind the scenes) Stuff that users won't see

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Klakurka