🛡️ MEDIUM: Add Content-Security-Policy header to deployment configs

[Mosas2000]

Description

Both vercel.json and netlify.toml set security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) but neither includes a Content-Security-Policy (CSP) header.

Without CSP, the application is more vulnerable to:

• Cross-site scripting (XSS) -- inline scripts or injected script tags execute without restriction
• Data exfiltration -- compromised scripts can send data to any external domain
• Clickjacking variants not covered by X-Frame-Options alone

Note: PR #189 ("add CSP and security headers") was merged previously, but the current vercel.json and netlify.toml on main do not contain a Content-Security-Policy header.

Files Affected

• vercel.json
• netlify.toml

Proposed Fix

Add a CSP header to both deployment configs with key directives:

• default-src 'self'
• script-src 'self' -- no inline scripts
• style-src 'self' 'unsafe-inline' -- Tailwind needs inline styles
• img-src 'self' https: data: -- allow HTTPS images and data URIs for avatars
• connect-src 'self' https://api.hiro.so https://api.testnet.hiro.so https://api.coingecko.com -- allowlist APIs
• font-src 'self'
• frame-ancestors 'none' -- redundant with X-Frame-Options but belt-and-suspenders

Severity

Medium -- Defense-in-depth gap

Labels

security, infrastructure