fix(security): Harden Content-Security-Policy header — add base-uri, object-src, Supabase connect-src

[gowthamrdyy]

Summary

Closes #2148

This PR hardens the existing Content-Security-Policy (CSP) header in next.config.mjs by closing several attack vectors that the current policy left open.

Changes

Directive	Before	After	Why
base-uri	(missing)	'none'	Prevents <base> tag injection — an attacker-controlled <base href> can redirect all relative URLs (scripts, links) to a malicious domain
object-src	(missing)	'none'	Disables legacy Flash/Java plugin execution, a well-known XSS vector
upgrade-insecure-requests	(missing)	✅ present	Instructs browsers to upgrade HTTP sub-resource requests to HTTPS automatically, preventing mixed-content downgrade
connect-src	api.github.com, groq.com	+ *.supabase.co, wss://*.supabase.co, *.upstash.io	Supabase realtime WebSocket and REST calls were blocked in strict CSP environments; Upstash Redis health-check calls similarly
img-src	data:	+ blob:	Canvas-generated image exports (e.g., ExportButton) use blob: object URLs
worker-src	(missing)	blob:	Required for next-pwa service worker registration
Format	Single long string	Array joined with '; '	Dramatically improves readability and diff-ability of future CSP changes

Testing

• ✅ No TypeScript errors (pnpm run type-check)
• ✅ Lint clean (pnpm run lint)
• ✅ Manually verified header is served in dev mode

GSSoc'26

🙋 Contributing on behalf of GSSoc'26. This is a level3 + type:security contribution.

[vercel]

@gowthamrdyy is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the app’s Content Security Policy (CSP) configuration in next.config.mjs to be more explicit, add protections against common injection vectors, and allow required external connections (Supabase/Upstash).

Changes:

• Refactors CSP header from a single string into a directive array joined by ; for readability/maintainability.
• Adds additional CSP directives (base-uri, object-src, upgrade-insecure-requests, worker-src) and expands img-src/connect-src allowlists.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.