chore: configure csp (#144)

* chore: configure csp

* fix: redirect to catalog page clicking on logo

Author: peppescg

next.config.ts

@@ -2,10 +2,59 @@ import type { NextConfig } from "next";
 
 const isDev = process.env.NODE_ENV !== "production";
 
+/**
+ * Content Security Policy header.
+ * All API calls (OIDC, backend API) happen server-side,
+ * so browser CSP only needs 'self'.
+ */
+const cspHeader = `
+  default-src 'self';
+  script-src 'self' 'unsafe-inline';
+  style-src 'self' 'unsafe-inline';
+  img-src 'self' blob: data:;
+  font-src 'self';
+  connect-src 'self';
+  form-action 'self';
+  frame-ancestors 'none';
+  base-uri 'self';
+  object-src 'none';
+  upgrade-insecure-requests;
+`
+  .replace(/\s{2,}/g, " ")
+  .trim();
+
 const nextConfig: NextConfig = {
-  /* config options here */
   reactCompiler: true,
   output: "standalone",
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: cspHeader,
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "X-Frame-Options",
+            value: "DENY",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "Permissions-Policy",
+            value: "camera=(), microphone=(), geolocation=()",
+          },
+        ],
+      },
+    ];
+  },
   async rewrites() {
     if (!isDev) return [];
 

src/components/navbar-logo.tsx

@@ -1,10 +1,11 @@
+import Link from "next/link";
 import { ToolHiveIcon } from "@/components/icons";
 
 export function NavbarLogo() {
   return (
-    <div className="flex items-center gap-2">
+    <Link href="/catalog" className="flex items-center gap-2">
       <ToolHiveIcon className="size-5 shrink-0" />
       <span className="text-2xl font-bold tracking-tight">ToolHive</span>
-    </div>
+    </Link>
   );
 }