perf: remove nonce-based CSP, switch to static CSP headers

Slashgear · claude · Slashgear · commit 581db9c6ef70 · 2026-02-07T19:36:45.000+01:00
Remove await headers() from root layout that was forcing all pages
into dynamic rendering. Move CSP to static headers in next.config.ts
(nonce not needed since the only inline script is application/ld+json).
Delete proxy.ts (dead code).

This re-enables static generation and ISR across the entire site.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/app/layout.tsx b/app/layout.tsx
@@ -1,25 +1,20 @@
 import { Metadata, Viewport } from 'next';
 import React, { ReactNode } from 'react';
-import { headers } from 'next/headers';
 import { Header } from '../modules/header/Header';
 import { Footer } from '../modules/footer/Footer';
 
 import 'normalize.css';
 import '../styles/globals.css';
 import { ORGANISATION_MARKUP } from './org-markup';
 
-export default async function AppLayout({ children }: { children: ReactNode }) {
-  const header = await headers();
-  const nonce = header.get('x-nonce');
-
+export default function AppLayout({ children }: { children: ReactNode }) {
   return (
     <html lang="fr-FR">
       <body>
         <div id="__next">
           <Header />
           <script
             type="application/ld+json"
-            nonce={`${nonce}`}
             dangerouslySetInnerHTML={{
               __html: JSON.stringify(ORGANISATION_MARKUP),
             }}
diff --git a/next.config.ts b/next.config.ts
@@ -68,6 +68,24 @@ const nextConfig: NextConfig = {
             key: 'Permissions-Policy',
             value: 'camera=(), microphone=(), geolocation=(), browsing-topics=()',
           },
+          {
+            key: 'Content-Security-Policy',
+            value: [
+              "default-src 'none'",
+              "script-src 'self'",
+              "img-src 'self' https://secure-content.meetupstatic.com/ https://images.ctfassets.net/ https://assets.vercel.com/ https://secure.meetupstatic.com/ https://img.youtube.com/",
+              "style-src 'self' 'unsafe-inline'",
+              'frame-src https://www.youtube.com/',
+              "manifest-src 'self'",
+              "object-src 'none'",
+              "form-action 'none'",
+              "connect-src 'self'",
+              "font-src 'self'",
+              "base-uri 'self'",
+              "frame-ancestors 'none'",
+              'upgrade-insecure-requests',
+            ].join('; '),
+          },
         ],
       },
     ];
diff --git a/proxy.ts b/proxy.ts
