chaynHQ · annarhughes · Dec 4, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/app/api/hello/route.ts b/app/api/hello/route.ts
diff --git a/components/common/Carousel.tsx b/components/common/Carousel.tsx
@@ -128,7 +128,6 @@ const CustomDots = ({ carouselTheme = 'primary' }: { carouselTheme: 'primary' |
 const Carousel = (props: CarouselProps) => {
   const { items, title = 'carousel', theme = 'primary' } = props;
 
-  console.log('calc', items.length % 3 === 1);
   return (
     <Box sx={{ mx: -1 }}>
       <NukaCarousel

diff --git a/components/layout/Header.tsx b/components/layout/Header.tsx
@@ -109,7 +109,7 @@ const Header = (props: HeaderProps) => {
           <Typography variant="h1" component="h1">
             {title}
           </Typography>
-          {getIntroduction()}
+          <Box mb={2}>{getIntroduction()}</Box>
           {progressStatus && <ProgressStatus status={progressStatus} />}
           {cta && <Box mt={4}>{cta}</Box>}
         </Box>

diff --git a/lib/utils/hasAutomaticAccessCodeFeature.test.ts b/lib/utils/hasAutomaticAccessCodeFeature.test.ts
@@ -6,6 +6,7 @@ const partnerData = {
   id: 'partner',
   name: 'partnerName',
   partnerFeature: [],
+  isActive: true,
 } as Partner;
 
 const accessCodePartnerFeature = {

diff --git a/next.config.js b/next.config.js
@@ -125,15 +125,15 @@ module.exports = withBundleAnalyzer(
       // form-action: Restricts form actions to the same origin.
       // frame-ancestors: Restricts embedding to the same origin.
       async headers() {
-        const headers = [
+        return [
           {
             source: '/:path',
             headers: [
               {
-                key: 'Content-Security-Policy-Report-Only', // Leaving this as report only until we have caught all the CSP violations
+                key: 'Content-Security-Policy',
                 value: `
                   default-src 'self';
-                  script-src 'self' 'unsafe-eval' 'unsafe-inline' ${scriptSrcUrls.join(' ')};
+                  script-src 'self' 'unsafe-inline' ${scriptSrcUrls.join(' ')};
                   child-src 'self' blob:;
                   worker-src 'self' ${workerSrcUrls.join(' ')};
                   style-src 'self' 'unsafe-inline' ${styleSrcUrls.join(' ')};
@@ -145,30 +145,47 @@ module.exports = withBundleAnalyzer(
                   base-uri 'self';
                   form-action 'self';
                   frame-ancestors 'self';
+                  upgrade-insecure-requests;
                 `
                   .replace(/\s{2,}/g, ' ')
                   .trim(),
               },
               {
                 key: 'Referrer-Policy',
-                value: 'origin-when-cross-origin',
+                value: 'strict-origin-when-cross-origin',
               },
               {
                 key: 'X-Content-Type-Options',
                 value: 'nosniff',
               },
+              {
+                key: 'X-Frame-Options',
+                value: 'DENY',
+              },
+              {
+                key: 'X-XSS-Protection',
+                value: '1; mode=block',
+              },
+              {
+                key: 'Permissions-Policy',
+                value:
+                  'camera=(), microphone=(), geolocation=(), usb=(), bluetooth=(), payment=(), accelerometer=(), gyroscope=(), magnetometer=(), ambient-light-sensor=(), autoplay=()',
+              },
+              {
+                key: 'Cross-Origin-Opener-Policy',
+                value: 'same-origin-allow-popups',
+              },
+              ...(process.env.NODE_ENV === 'production'
+                ? [
+                    {
+                      key: 'Strict-Transport-Security',
+                      value: 'max-age=31536000; includeSubDomains; preload',
+                    },
+                  ]
+                : []),
             ],
           },
         ];
-        // This enforces HTTPS for all requests so we don't want this for local development
-        if (process.env.NODE_ENV === 'production') {
-          headers[0].headers.push({
-            key: 'Strict-Transport-Security',
-            value: 'max-age=31536000; includeSubDomains; preload',
-          });
-        }
-
-        return headers;
       },
     }),
   ),

diff --git a/scriptUrls.js b/scriptUrls.js
@@ -17,6 +17,7 @@ const scriptSrcUrls = [
   'https://*.hotjar.io',
   'https://*.rollbar.com',
   'https://*.simplybook.it',
+  'https://widget.simplybook.it',
   'https://*.zapier.com',
   'https://fonts.googleapis.com',
   'https://static.hotjar.com',
@@ -69,7 +70,8 @@ const connectSrcUrls = [
   'https://noembed.com',
   'https://*.youtube.com',
   'https://www.youtube.com',
-  process.env.NEXT_PUBLIC_API_BASE_URL, //new env by niksanand1717
+  ...(process.env.NODE_ENV === 'development' ? ['http://localhost:35001'] : []),
+  process.env.NEXT_PUBLIC_API_BASE_URL,
 ];
 const frameSrcUrls = [
   'https://*.hotjar.com',