Skip to content

fix: apply security headers to all routes, not just protected ones#144

Open
rotarymars wants to merge 1 commit intomainfrom
fix/security-headers-all-routes
Open

fix: apply security headers to all routes, not just protected ones#144
rotarymars wants to merge 1 commit intomainfrom
fix/security-headers-all-routes

Conversation

@rotarymars
Copy link
Member

@rotarymars rotarymars commented Mar 8, 2026
edited by coderabbitai bot
Loading

Description

Applying security headers to all routes.

Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to change)
  • 📝 Documentation update
  • 🎨 Style/UI change
  • ♻️ Refactor (no functional changes)
  • 🔧 Configuration change

Changes Made

  • Look diff

Testing

  • Tested locally with npm run dev
  • Build passes (npm run build)
  • Lint passes (npm run lint)

Screenshots (if applicable)

Checklist

  • My code follows the project's coding style
  • I have performed a self-review of my code
  • I have commented my code where necessary
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

Related Issues

Summary by CodeRabbit

  • Refactor
    • Consolidated middleware response handling to unify header management across login, authentication, protected, and general API routes.
    • Implemented centralized header application logic to ensure consistent formatting across all endpoints, improving request handling reliability.
    • Restructured response processing for improved uniformity throughout the application's request handling layer.

@vercel
Copy link

vercel bot commented Mar 8, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
kss-it-committee-github-io Ready Ready Preview, Comment Mar 8, 2026 2:04pm

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 8, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The middleware now consistently applies security headers across all routes through a new helper function instead of inline header assignments. Previously, different routes applied headers inconsistently; now addSecurityHeaders() centralizes the addition of Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy headers.

Changes

Cohort / File(s) Summary
Security Headers Refactoring
src/middleware.ts		 Extracted security header logic into a reusable addSecurityHeaders() helper function and applied it uniformly across login, API-auth, protected routes, and all other routes for consistent security posture.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

enhancement

Suggested reviewers

  • katsumata68
  • SakaYq4875
  • hatuna-827
  • kinoto0103
  • mochi-k18

Poem

🐰 Headers hop and headers bound,
Security wrapped all around!
With addSecurityHeaders so neat,
Middlewares now skip to the beat—
Protection's served on every route! 🔐

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the primary change: applying security headers uniformly to all routes instead of just protected ones, which directly reflects the implementation changes in the PR.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/security-headers-all-routes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 8, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/middleware.ts (1)

44-47: ⚠️ Potential issue | 🟠 Major

Wrap the redirect response too.

Line 47 still returns a bare NextResponse.redirect(loginUrl), so unauthenticated requests to protected routes are the one path that still miss the headers this PR is supposed to apply globally. That leaves the fix incomplete.

Proposed fix 
     if (!sessionId) {
       // No session cookie, redirect to login
       const loginUrl = new URL("/login", request.url);
-      return NextResponse.redirect(loginUrl);
+      return addSecurityHeaders(NextResponse.redirect(loginUrl));
     }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/middleware.ts` around lines 44 - 47, The redirect for unauthenticated
requests currently returns NextResponse.redirect(loginUrl) directly (see
sessionId and loginUrl), so the global headers aren’t applied; change it to
create the redirect response (e.g., const res =
NextResponse.redirect(loginUrl)), apply the same header-setting logic you use
for other responses (the headers added in middleware.ts), and then return that
wrapped response so the security/trace headers are included on the redirect path
as well.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/middleware.ts`:
- Around line 44-47: The redirect for unauthenticated requests currently returns
NextResponse.redirect(loginUrl) directly (see sessionId and loginUrl), so the
global headers aren’t applied; change it to create the redirect response (e.g.,
const res = NextResponse.redirect(loginUrl)), apply the same header-setting
logic you use for other responses (the headers added in middleware.ts), and then
return that wrapped response so the security/trace headers are included on the
redirect path as well.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e409c27-e429-40d3-8c30-fb26d0553165

📥 Commits

Reviewing files that changed from the base of the PR and between 646cf73 and 498bec2.

📒 Files selected for processing (1)
  • src/middleware.ts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Aki603 Aki603 Awaiting requested review from Aki603

@kinoto0103 kinoto0103 Awaiting requested review from kinoto0103

@kotaro-0131 kotaro-0131 Awaiting requested review from kotaro-0131

@katsumata68 katsumata68 Awaiting requested review from katsumata68

@SakaYq4875 SakaYq4875 Awaiting requested review from SakaYq4875

At least 2 approving reviews are required to merge this pull request.

Assignees

@katsumata68 katsumata68

@rotarymars rotarymars

@kinoto0103 kinoto0103

@kotaro-0131 kotaro-0131

@Aki603 Aki603

@SakaYq4875 SakaYq4875

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rotarymars @katsumata68 @kinoto0103 @kotaro-0131 @Aki603 @SakaYq4875