Skip to content

fix: Deployment & Security Headers Configuration#1388

Open
lspassos1 wants to merge 1 commit intokoala73:mainfrom
lspassos1:fix/security-headers
Open

fix: Deployment & Security Headers Configuration#1388
lspassos1 wants to merge 1 commit intokoala73:mainfrom
lspassos1:fix/security-headers

Conversation

@lspassos1
Copy link
Collaborator

@lspassos1 lspassos1 commented Mar 10, 2026

Summary

Aligns the vercel.json CSP and Permissions-Policy headers with production standards and fixes related deployment configuration tests.

Type of change

  • Bug fix
  • New feature
  • CI / Build / Infrastructure

Affected areas

  • Config / Settings

Checklist

  • Tested on worldmonitor.app variant
  • No API keys or secrets committed
  • TypeScript compiles without errors (npm run typecheck)

@vercel
Copy link

vercel bot commented Mar 10, 2026

@lspassos1 is attempting to deploy a commit to the Elie Team on Vercel.

A member of the Team first needs to authorize it.

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Mar 10, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@koala73
Copy link
Owner

koala73 commented Mar 12, 2026

Thanks for tackling security headers @lspassos1! The CSP hardening approach (replacing 'unsafe-inline' with SHA-256 hashes) is the right direction, and the JSON reformatting makes vercel.json much more readable. Appreciate the effort on this.

A few things need addressing before we can merge:

Blocking (5)

  1. X-Frame-Options: DENY conflicts with CSP frame-ancestors — Our CSP explicitly allows iframe embedding from worldmonitor.app subdomains. Adding DENY globally contradicts this and will break cross-subdomain embedding. Either use SAMEORIGIN or omit entirely since frame-ancestors supersedes it in modern browsers.

  2. geolocation=() silently disables geolocation — Changed from geolocation=(self) to geolocation=(). The app uses the Geolocation API for mobile map centering (auto-centers on user's GPS at zoom 6). This will break that feature. Not mentioned in the PR description.

  3. Docs/blog rewrites and headers removed — The /docs proxy to Mintlify, /blog rewrites, and SPA catch-all exclusions for blog/docs are all silently removed. This breaks the live docs site and blog by serving index.html instead. These need to stay.

  4. ignoreCommand replaced without explanationbash scripts/vercel-ignore.sh replaced with an inline command. The shell script may contain additional logic. Not mentioned in PR description.

  5. SHA-256 hashes are undocumented — 6 sha256-* hashes replace 'unsafe-inline', which is great, but there's no documentation of which inline scripts they correspond to. If any inline script changes (Vite build output, analytics), scripts silently fail. Please document which scripts produce these hashes, and note that runtime-injected scripts (Vercel Analytics, CF Insights) will also be blocked.

Suggestions (2)

  1. Test regex loosened to hide a change — The test regex was widened from \\) to [^)]*\\). Please update the test to assert the exact expected value instead of loosening the match.

  2. Redundant / and /index.html cache rules — These paths already match the SPA catch-all which sets no-cache, no-store, must-revalidate. The additional rules are harmless but redundant.

Nitpicks (1)

  1. Trailing newline removed — POSIX convention expects a trailing newline at end of file.

Scope

The title says "Deployment & Security Headers" but the PR also removes docs/blog infrastructure, changes the build ignore command, reformats the entire JSON, and disables geolocation. Splitting these into separate PRs would make review and rollback much easier.

Happy to re-review once the blockers are addressed!

Repository owner deleted a comment from ashsolei Mar 14, 2026
@koala73 koala73 force-pushed the fix/security-headers branch from ca35b40 to af03b69 Compare March 19, 2026 08:59
@vercel
Copy link

vercel bot commented Mar 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
worldmonitor Ready Ready Preview, Comment Mar 19, 2026 9:03am

Request Review

lspassos1 added a commit to lspassos1/worldmonitor that referenced this pull request Mar 21, 2026
@lspassos1
fix(config): adjust vercel security headers and revert breaking geolo…
5a9339f 
…cation/routing changes

This replaces the previous 'fix: resolve deployment and security header issues' commit.
Addresses all feedback from PR koala73#1388 review:
- Remove X-Frame-Options: DENY to prevent breaking frame-ancestors
- Revert geolocation=() back to geolocation=(self) for mobile map centering
- Reset routing (rewrites/cache exclusions) to main's configuration to fix /docs and /blog access
- Revert ignoreCommand to main's original bash script invocation
- Revert script-src to use 'unsafe-inline' instead of undocumented SHA hashes
- Update deploy-config.test.mjs to accurately validate the updated security policy headers
- Retain cache-control enhancements for entry routes
@lspassos1 lspassos1 force-pushed the fix/security-headers branch from af03b69 to 5a9339f Compare March 21, 2026 00:42
lspassos1 added a commit to lspassos1/worldmonitor that referenced this pull request Mar 21, 2026
@lspassos1
fix(config): adjust vercel security headers and revert breaking geolo…
608366a 
…cation/routing changes

This replaces the previous 'fix: resolve deployment and security header issues' commit.
Addresses all feedback from PR koala73#1388 review:
- Remove X-Frame-Options: DENY to prevent breaking frame-ancestors
- Revert geolocation=() back to geolocation=(self) for mobile map centering
- Reset routing (rewrites/cache exclusions) to main's configuration to fix /docs and /blog access
- Revert ignoreCommand to main's original bash script invocation
- Revert script-src to use 'unsafe-inline' instead of undocumented SHA hashes
- Update test to accurately validate the updated security policy headers
- Retain cache-control enhancements for entry routes
@lspassos1 lspassos1 force-pushed the fix/security-headers branch from 5a9339f to 608366a Compare March 21, 2026 00:50
@vercel
Copy link

vercel bot commented Mar 21, 2026

Deployment failed with the following error:

The provided GitHub repository does not contain the requested branch or commit reference. Please ensure the repository is not empty.

@lspassos1
fix(config): adjust vercel security headers and revert breaking geolo…
03bddec 
…cation/routing changes

This replaces the previous 'fix: resolve deployment and security header issues' commit.
Addresses all feedback from PR koala73#1388 review:
- Remove X-Frame-Options: DENY to prevent breaking frame-ancestors
- Revert geolocation=() back to geolocation=(self) for mobile map centering
- Reset routing (rewrites/cache exclusions) to main's configuration to fix /docs and /blog access
- Revert ignoreCommand to main's original bash script invocation
- Revert script-src to use 'unsafe-inline' instead of undocumented SHA hashes
- Update test to accurately validate the updated security policy headers
- Retain cache-control enhancements for entry routes
@lspassos1 lspassos1 force-pushed the fix/security-headers branch from 608366a to 03bddec Compare March 21, 2026 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@lspassos1 lspassos1

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lspassos1 @koala73