fix(web): frontend quality — XSS, error states, a11y, image optimization, security headers

- Whitelist OAuth error codes; never render raw URL params (XSS fix) - Add error state UI with retry button for API failures on homepage and search - Use <article> for property cards with ARIA labels and semantic list markup - Replace raw <img> with Next.js <Image> across all listing/gallery/KYC pages - Add security headers (X-Content-Type-Options, X-Frame-Options, etc.) in next.config.js - Gate console.error behind NODE_ENV check in global error boundary - Mapbox confirmed npm-bundled (SRI N/A) Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:32:08 +07:00
parent e9889539ea
commit afa70320f5
11 changed files with 215 additions and 104 deletions
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -2,6 +2,28 @@
 const nextConfig = {
  reactStrictMode: true,
  output: 'standalone',
+  images: {
+    remotePatterns: [
+      {
+        protocol: 'https',
+        hostname: '**',
+      },
+    ],
+  },
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'X-XSS-Protection', value: '1; mode=block' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(self)' },
+        ],
+      },
+    ];
+  },
 };

 module.exports = nextConfig;