fix(web): add baseline security response headers

[richiemcilroy]

Adds baseline security response headers (X-Content-Type-Options, Referrer-Policy, HSTS, DNS-prefetch-control) globally. No framing restriction is added, so embedded videos keep working.

Greptile Summary

This PR adds a baseline set of security response headers to the Next.js app — X-Content-Type-Options, Referrer-Policy, X-DNS-Prefetch-Control, and HSTS — applied globally, with targeted X-Frame-Options: SAMEORIGIN guards on sensitive authenticated routes. Previous feedback on DNS prefetch direction, HSTS preload deferral, and admin/verify-otp coverage has been addressed.

• Global headers (/:path*): nosniff, strict-origin-when-cross-origin referrer policy, DNS prefetch off, and a 2-year HSTS with includeSubDomains (no preload, intentionally deferred).
• Clickjacking protection: X-Frame-Options: SAMEORIGIN added for /dashboard, /onboarding, /admin, /verify-otp, /login, and /signup; public embeddable routes (/s, /embed, /c) are deliberately excluded.
• Gap: /invite/:path* (the org-invite acceptance page) is not in the protected list and can still be embedded cross-origin.

Confidence Score: 4/5

Safe to merge after adding /invite/:path* to the framing-protection list — everything else in the header baseline is correct and the intentional omissions are well-documented.

The invite-acceptance page (/invite/[inviteId]) was left out of the X-Frame-Options route list. It has interactive buttons that POST to org-membership API endpoints, so a cross-origin iframe embedding it is a real clickjacking vector. All other parts of the change look correct.

apps/web/next.config.mjs — the framing-protection route list needs /invite/:path* added.

Security Review

• Clickjacking on invite acceptance (apps/web/next.config.mjs, line 109): /invite/[inviteId] is excluded from the X-Frame-Options: SAMEORIGIN protection added by this PR. The page lets authenticated users accept or decline org invitations via direct API calls, making it a viable clickjacking target for forcing unintended org-membership changes.

Important Files Changed

Filename	Overview
apps/web/next.config.mjs	Adds global security response headers and per-route X-Frame-Options protection; the /invite/:path* route is missing from the clickjacking-protection list.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
apps/web/next.config.mjs:109-119
**Invite acceptance route missing clickjacking protection**

`/invite/[inviteId]` is not in the `X-Frame-Options` protection list. That page renders "Accept" and "Decline" buttons that immediately POST to `/api/invite/accept` and `/api/invite/decline`, changing the authenticated user's org membership. A transparent iframe embedding this page lets an attacker trick a logged-in user into joining a malicious workspace. Adding `"/invite/:path*"` to the array here closes the gap.

_{Reviews (4): Last reviewed commit: "fix(web): extend clickjacking protection..." | Re-trigger Greptile}

[polarityinc]

Paragon Review Skipped

Hi @richiemcilroy! Your Polarity credit balance is insufficient to complete this review.

Please visit https://app.paragon.run to finish your review.

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[richiemcilroy]

@greptileai please review the PR

[richiemcilroy]

@greptileai please review the PR

[richiemcilroy]

@greptileai please review the PR