chore: add security headers (#7)

Signed-off-by: Will Manning <[email protected]>

Author: lwwmanning

CLAUDE.md

@@ -4,10 +4,10 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Development Commands
 
-- `npm run dev` - Start development server with Turbopack
-- `npm run build` - Build production application
-- `npm run lint` - Run ESLint
-- `npm start` - Start production server
+- `bun run dev` - Start development server with Turbopack
+- `bun run build` - Build production application
+- `bun run lint` - Run ESLint
+- `bun start` - Start production server
 
 ## Architecture Overview
 

next.config.ts

@@ -2,7 +2,27 @@ import type { NextConfig } from "next";
 import { withPlausibleProxy } from "next-plausible";
 
 const nextConfig: NextConfig = withPlausibleProxy()({
-  /* config options here */
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff',
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY',
+          },
+          {
+            key: 'Content-Security-Policy',
+            value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' plausible.io; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' plausible.io vitals.vercel-insights.com; worker-src 'self' blob:; child-src 'self' blob:;",
+          },
+        ],
+      },
+    ];
+  },
 });
 
 export default nextConfig;