sec: Add Content-Security-Policy Header

[gowthamrdyy]

Adding a Content-Security-Policy (CSP) header to next.config.mjs restricts the resources (such as JavaScript, CSS, Images) that the browser is allowed to load. This significantly reduces the risk and impact of Cross-Site Scripting (XSS) attacks.

I am contributing on behalf of GSSoc’26

[gowthamrdyy]

/assign

[PranavAgarkar07]

Hi! I'd like to work on this issue under GSSoC 2026.

Approach: I'll configure CSP headers in next.config.mjs using the headers() async function to add a Content-Security-Policy response header. I'll start with a restrictive baseline (default-src 'self') and progressively relax directives (script-src, style-src, img-src, connect-src, font-src) based on the actual external resources the dashboard loads — GitHub API, Supabase, Google Fonts, and any CDN assets. I'll test that no resources are blocked by monitoring the browser console, and optionally set up report-uri for ongoing CSP violation monitoring in production.

I have experience with Next.js security headers and CSP configuration. Please assign me this issue.

[github-actions]

Assigned to @PranavAgarkar07! You have 7 days to open a PR. No PR after 7 days = auto-unassigned so others can pick it up. Good luck!