Document the security headers and Content-Security-Policy architecture

[mikewheeleer]

Write a security headers and CSP reference doc

Description

The dashboard ships a non-trivial security posture in src/lib/securityHeaders.ts and next.config.ts — a per-route CSP whose connect-src is derived from resolveApiBase, a Permissions-Policy denylist, X-Frame-Options/frame-ancestors, and production-only HSTS — but none of it is documented, so contributors don't understand why 'unsafe-inline' is present (the pre-paint theme script) or how to add an allowed origin. This issue produces a reference doc.

Requirements and context

• Repository scope: Agentpay-Org/Agentpay-frontend only.
• Create docs/security-headers.md explaining each header and CSP directive built in securityHeaders.ts, why 'unsafe-inline'/'unsafe-eval' appear (and the dev/prod difference), and how connect-src tracks the API origin.
• Explain how to safely add a new allowed origin or relax a directive, and the relationship to the theme pre-paint script in src/app/layout.tsx.
• Cross-link from README.md; ensure every directive named in the doc actually appears in the source.

Suggested execution

• Fork the repo and create a branch
• git checkout -b docs/docs-security-headers
• Implement changes
  • Write code in: create docs/security-headers.md (docs only).
  • Write comprehensive tests in: not applicable; instead grep securityHeaders.ts to confirm every documented directive/header exists in source.
  • Add documentation: this issue is the documentation; link it from README.md.
  • Validate each documented header matches the code.
• Test and commit

Test and commit

• Run npm run lint and npm run build to confirm no references break.
• Cross-check every directive/header against the source via search.
• Include a note confirming the doc matches the in-code header map.

Example commit message

docs(security): document the CSP and hardening header architecture

Guidelines

• Accuracy over completeness; every directive must match the code.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the AgentPay community on Discord for questions, reviews, and faster merges: https://discord.gg/eXvRKkgcv
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

[gloskull]

Hello, I have 4 years of experience delivering solutions for projects like this, covering backend, frontend, and smart contract development. After carefully reviewing your requirements, I have a clear understanding of the task and am confident in my ability to deliver a clean, efficient, and thoroughly tested solution on time. I prioritize code quality, maintainability, and industry best practices throughout the development process.
My PR will be submitted in under 10hours.