From 8ba0aa244867f963401f0edb3864a3a8535f18e5 Mon Sep 17 00:00:00 2001 From: Deepak Pandey Date: Fri, 12 Sep 2025 15:39:23 +0530 Subject: [PATCH 1/2] fix: resolve Razorpay payment gateway issues in production - Fix CSP configuration to allow Razorpay domains in production (vercel.json) - Fix CSP configuration to allow Razorpay domains in development (lib/security/csp-config.ts) - Resolves payment gateway loading issues in production environment - Maintains security while enabling Razorpay checkout functionality Fixes: Razorpay checkout not loading in production due to CSP restrictions --- lib/security/csp-config.ts | 12 ++++++------ vercel.json | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/security/csp-config.ts b/lib/security/csp-config.ts index 7cf966d69..aa3864f3b 100644 --- a/lib/security/csp-config.ts +++ b/lib/security/csp-config.ts @@ -41,12 +41,12 @@ export function getCSPConfig(request: NextRequest): CSPConfig { // Enhanced CSP policy with Cloudflare Insights support const policy = [ "default-src 'self'", - "script-src 'self' 'nonce-" + nonce + "' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com", + "script-src 'self' 'nonce-" + nonce + "' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com", "style-src 'self' 'nonce-" + nonce + "' 'unsafe-inline' https://fonts.googleapis.com", "font-src 'self' https://fonts.gstatic.com", "img-src 'self' data: https: blob:", - "connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co", - "frame-src 'none'", + "connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com", + "frame-src 'self' https://checkout.razorpay.com", "object-src 'none'", "base-uri 'self'", "form-action 'self'", @@ -77,12 +77,12 @@ export function applyCSPHeaders(response: Response, cspConfig: CSPConfig): Respo export function getDevelopmentCSP(): string { return [ "default-src 'self'", - "script-src 'self' 'unsafe-eval' 'unsafe-inline' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com", + "script-src 'self' 'unsafe-eval' 'unsafe-inline' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com", "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", "font-src 'self' https://fonts.gstatic.com", "img-src 'self' data: https: blob:", - "connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co", - "frame-src 'none'", + "connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com", + "frame-src 'self' https://checkout.razorpay.com", "object-src 'none'", "base-uri 'self'", "form-action 'self'", diff --git a/vercel.json b/vercel.json index 9b3fcc563..df4092904 100644 --- a/vercel.json +++ b/vercel.json @@ -73,7 +73,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;" + "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://vercel.live https://va.vercel-scripts.com https://static.cloudflareinsights.com https://checkout.razorpay.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://*.supabase.co https://*.vercel.app wss://*.supabase.co https://api.razorpay.com; frame-src 'self' https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;" } ] } From 05299c8b8a7aee9912147e8e50ca98ef5368c632 Mon Sep 17 00:00:00 2001 From: Deepak Pandey Date: Fri, 12 Sep 2025 17:32:04 +0530 Subject: [PATCH 2/2] security: fix high severity axios vulnerability - Update axios to version >=1.12.0 to fix DoS vulnerability - Resolves CVE: GHSA-4hjh-wcwx-xvwj - Fixes lack of data size check that could lead to DoS attacks - All security vulnerabilities now resolved (0 found) Security: High severity vulnerability patched --- package-lock.json | 7 ++++--- package.json | 7 ++++++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index f3ff6bd5b..00913170a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4,6 +4,7 @@ "requires": true, "packages": { "": { + "name": "codeunia", "dependencies": { "@google/generative-ai": "^0.24.1", "@radix-ui/react-avatar": "^1.1.10", @@ -6258,9 +6259,9 @@ } }, "node_modules/axios": { - "version": "1.11.0", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.11.0.tgz", - "integrity": "sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==", + "version": "1.12.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.12.0.tgz", + "integrity": "sha512-oXTDccv8PcfjZmPGlWsPSwtOJCZ/b6W5jAMCNcfwJbCzDckwG0jrYJFaWH1yvivfCXjVzV/SPDEhMB3Q+DSurg==", "license": "MIT", "dependencies": { "follow-redirects": "^1.15.6", diff --git a/package.json b/package.json index 648814606..8d9de1175 100644 --- a/package.json +++ b/package.json @@ -29,7 +29,12 @@ "test:local:security": "./scripts/test-ci-local.sh security", "test:local:build": "./scripts/test-ci-local.sh build", "test:local:vercel": "./scripts/test-ci-local.sh vercel", - "vercel:setup": "./scripts/setup-vercel-config.sh" + "vercel:setup": "./scripts/setup-vercel-config.sh", + "lighthouse": "lhci autorun", + "lighthouse:local": "lhci autorun --config=lighthouserc.js", + "lighthouse:install": "npm install -g @lhci/cli@0.12.x", + "lighthouse:test": "./scripts/lighthouse-test.sh local", + "lighthouse:custom": "./scripts/lighthouse-test.sh custom" }, "dependencies": { "@google/generative-ai": "^0.24.1",