From a4e9e5e607702e297967e4d23998e5b4d3f7f2e9 Mon Sep 17 00:00:00 2001
From: Elie Habib <elie.habib@gmail.com>
Date: Tue, 17 Mar 2026 11:26:25 +0400
Subject: [PATCH] fix(docs): exclude /docs from CSP that blocks Mintlify
 (#1750)

* fix(docs): exclude /docs from CSP header that blocks Mintlify scripts

The catch-all /(.*) header rule applied Content-Security-Policy with
SHA-based script-src to all routes including /docs/*. Mintlify generates
dozens of inline scripts that don't match those hashes, causing 71 CSP
errors and a completely blank docs page.

Fix: change catch-all to /((?!docs).*) so /docs paths inherit only
their own lightweight headers (nosniff, HSTS, referrer-policy).

* fix(tests): update deploy-config test for docs CSP exclusion

Test was looking for exact source '/(.*)', updated to match the new
'/((?!docs).*)' pattern that excludes /docs from the strict CSP.
---
 tests/deploy-config.test.mjs | 2 +-
 vercel.json                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/deploy-config.test.mjs b/tests/deploy-config.test.mjs
index ca35378b4..832344319 100644
--- a/tests/deploy-config.test.mjs
+++ b/tests/deploy-config.test.mjs
@@ -63,7 +63,7 @@ describe('deploy/cache configuration guardrails', () => {
 });
 
 const getSecurityHeaders = () => {
-  const rule = vercelConfig.headers.find((entry) => entry.source === '/(.*)');
+  const rule = vercelConfig.headers.find((entry) => entry.source === '/((?!docs).*)');
   return rule?.headers ?? [];
 };
 
diff --git a/vercel.json b/vercel.json
index 4632b4108..d3c1d5887 100644
--- a/vercel.json
+++ b/vercel.json
@@ -25,7 +25,7 @@
       ]
     },
     {
-      "source": "/(.*)",
+      "source": "/((?!docs).*)",
       "headers": [
         { "key": "X-Content-Type-Options", "value": "nosniff" },
         { "key": "X-Frame-Options", "value": "SAMEORIGIN" },