fix(docs): exclude /docs from CSP that blocks Mintlify (#1750)

* fix(docs): exclude /docs from CSP header that blocks Mintlify scripts The catch-all /(.*) header rule applied Content-Security-Policy with SHA-based script-src to all routes including /docs/*. Mintlify generates dozens of inline scripts that don't match those hashes, causing 71 CSP errors and a completely blank docs page. Fix: change catch-all to /((?!docs).*) so /docs paths inherit only their own lightweight headers (nosniff, HSTS, referrer-policy). * fix(tests): update deploy-config test for docs CSP exclusion Test was looking for exact source '/(.*)', updated to match the new '/((?!docs).*)' pattern that excludes /docs from the strict CSP.
2026-04-25 17:14:57 +02:00 · 2026-03-17 11:26:25 +04:00
parent 4353c20637
commit a4e9e5e607
2 changed files with 2 additions and 2 deletions
--- a/vercel.json
+++ b/vercel.json
@@ -25,7 +25,7 @@
      ]
    },
    {
-      "source": "/(.*)",
+      "source": "/((?!docs).*)",
      "headers": [
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "X-Frame-Options", "value": "SAMEORIGIN" },