Security: HTTP Headers and CSP Configuration

  Property: ChurchWiseAI   Category: Security Tier: all Persona: security-engineer Touchpoint: all pages (HTTP headers)

Preconditions

• Web server configured (Vercel)
• Security headers middleware in place

Steps

#	Action	Expected Result
1	Check Content-Security-Policy header	CSP set. Restricts scripts to approved domains. No unsafe-inline (except fonts).
2	Check X-Frame-Options header	Set to DENY or SAMEORIGIN. Prevents clickjacking.
3	Check X-Content-Type-Options header	Set to nosniff. Prevents MIME-type sniffing.
4	Check Strict-Transport-Security header	Set to max-age=31536000. Forces HTTPS. Includes subdomains.
5	Check Referrer-Policy header	Set (e.g., strict-origin-when-cross-origin). Controls referrer leaks.
6	Check Permissions-Policy header	Restricts feature access (camera, microphone, geolocation). No unrequired features.
7	Check for CORS headers	Access-Control-Allow-Origin restricted to known domains (not *).
8	Check cookies	Secure flag set. HttpOnly flag set. SameSite=Strict or Lax. No session cookies over HTTP.

Known Failure Modes

• Missing CSP — XSS vulnerability
• unsafe-inline scripts — injection vector
• No X-Frame-Options — clickjacking vulnerability
• No HSTS — MITM attack vector

References

• Playwright spec: e2e (header validation)
• Code files:
  • next.config.js (header config)
  • vercel.json (Vercel headers)
  • src/middleware.ts

Notes

Security headers prevent common web attacks (XSS, clickjacking, MIME sniffing). These are low-cost, high-impact security measures. Check with Mozilla Observatory or BuiltWith. Target: A+ grade on Observatory. Run after security audit.