fix(headers): add security headers

[jeanduplessis]

Summary

Code-related pentest findings [private access to Kilo team members only] are now addressed without broad product rewrites. Each fix focuses on closing the reported behavior while preserving existing auth, analytics, payments, and device-token flows.

L1: Missing security headers

Why needed:
The app already sent several security headers, but the pentest flagged missing hardening headers and X-Powered-By exposure.

Solution chosen:
Disabled Next's powered-by header and added XSS protection disablement, referrer policy, permissions policy, CORP, and COEP report-only headers while preserving existing HSTS, COOP, X-Frame-Options, and nosniff headers.

Trade-off:
Shipped Cross-Origin-Embedder-Policy-Report-Only instead of enforced COEP. Enforced COEP can break third-party scripts/assets unless every provider sends compatible CORS/CORP headers.

Legacy XSS filter decision:
Sets X-XSS-Protection: 0 rather than enabling legacy browser XSS filters, which can create browser-specific bypass behavior and are deprecated in modern hardening guidance.

Verification

• Local dev environment verification

Visual Changes

N/A

Reviewer Notes

Code Reviewer Notes

• Header changes are centralized in apps/web/next.config.mjs.
• poweredByHeader: false removes the framework disclosure header.
• Existing HSTS, COOP, X-Frame-Options, and X-Content-Type-Options: nosniff behavior is preserved.
• COEP is Cross-Origin-Embedder-Policy-Report-Only for compatibility with Stripe/Stytch/Impact/GTM/PostHog/Turnstile resources.
• Permissions policy disables browser capabilities not needed by the app: geolocation, camera, and microphone.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)

• apps/web/next.config.mjs

---

_{Reviewed by gpt-5.4-20260305 · 152,669 tokens}