fix: fix event listener leak in SiteNav and add security headers

- Extract astro:after-swap handler to named function so it can be
  removed in onUnmounted (fixes event listener leak)
- Add vercel.json with security headers (X-Frame-Options, nosniff,
  Referrer-Policy, Permissions-Policy)

Addresses review feedback:
#10142 (review)

Author: christian-byrne

apps/website/src/components/SiteNav.vue

@@ -16,15 +16,18 @@ function onKeydown(e: KeyboardEvent) {
   }
 }
 
+function onAfterSwap() {
+  mobileMenuOpen.value = false
+}
+
 onMounted(() => {
   document.addEventListener('keydown', onKeydown)
-  document.addEventListener('astro:after-swap', () => {
-    mobileMenuOpen.value = false
-  })
+  document.addEventListener('astro:after-swap', onAfterSwap)
 })
 
 onUnmounted(() => {
   document.removeEventListener('keydown', onKeydown)
+  document.removeEventListener('astro:after-swap', onAfterSwap)
 })
 </script>
 

apps/website/vercel.json

@@ -0,0 +1,13 @@
+{
+  "headers": [
+    {
+      "source": "/(.*)",
+      "headers": [
+        { "key": "X-Frame-Options", "value": "DENY" },
+        { "key": "X-Content-Type-Options", "value": "nosniff" },
+        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
+        { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
+      ]
+    }
+  ]
+}