Skip to content

🛡️ Sentinel: Harden security headers and improve CSP consistency#57

Merged
amrabed merged 1 commit into
mainfrom
sentinel-security-hardening-2536189552405342294
Jun 30, 2026
Merged

🛡️ Sentinel: Harden security headers and improve CSP consistency#57
amrabed merged 1 commit into
mainfrom
sentinel-security-hardening-2536189552405342294

Conversation

@google-labs-jules

Copy link
Copy Markdown
Contributor

🛡️ Sentinel: Security Hardening

🚨 Severity: MEDIUM (Enhancement)

💡 Vulnerability:

  • Missing key security headers (HSTS, Permissions-Policy).
  • Legacy X-XSS-Protection configuration.
  • Inconsistent CSP between main site and documentation.
  • Invalid CSP directive (frame-ancestors) in meta tag.

🎯 Impact:

  • Lack of HSTS could allow downgrade attacks (SSL stripping).
  • Unrestricted browser features (camera, mic) could be exploited if an XSS occurred.
  • Inconsistent CSP could lead to blocked assets or bypasses.

🔧 Fix:

  • Implemented Strict-Transport-Security, Permissions-Policy, and updated X-XSS-Protection in next.config.ts.
  • Synchronized CSP across next.config.ts and docs/layout.tsx.
  • Removed frame-ancestors from meta tags as it's ignored by browsers in that context (kept in headers).

Verification:

  • Ran pnpm build and pnpm --filter docs build (Successful).
  • Ran pnpm test (All 23 unit tests passed).
  • Ran pnpm test:e2e (All 4 E2E tests passed).
  • Verified header logic via manual review.

PR created automatically by Jules for task 2536189552405342294 started by @amrabed

@google-labs-jules

Copy link
Copy Markdown
Contributor Author

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented Jun 27, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
typescript Ready Ready Preview, Comment Jun 30, 2026 10:36am

- Add Strict-Transport-Security (HSTS) with preload and subdomains.
- Add Permissions-Policy to restrict sensitive browser features.
- Update X-XSS-Protection to 0 (opting for CSP-based protection).
- Fix CSP inconsistency between main app and docs.
- Remove invalid frame-ancestors from docs meta-tag.
- Maintain unsafe-eval to prevent regressions in Next.js/Nextra.
@amrabed amrabed force-pushed the sentinel-security-hardening-2536189552405342294 branch from a0f3192 to 0af8311 Compare June 30, 2026 10:34
@amrabed amrabed marked this pull request as ready for review June 30, 2026 10:38
@amrabed amrabed self-requested a review as a code owner June 30, 2026 10:38
@amrabed amrabed merged commit a41ee27 into main Jun 30, 2026
3 checks passed
@amrabed amrabed deleted the sentinel-security-hardening-2536189552405342294 branch June 30, 2026 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant