From 5b03824a725fbd79ed29b9b271bf6d2859bf2013 Mon Sep 17 00:00:00 2001
From: Felipe Coutinho <felipi@live.com>
Date: Tue, 21 Apr 2026 14:44:18 +0000
Subject: [PATCH] fix(security): remover header CSP de respostas de API
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CSP não tem efeito em respostas JSON e expunha domínios
internos (Umami, Supabase, logo.dev) em endpoints públicos.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/proxy.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/proxy.ts b/src/proxy.ts
index 633821d..7885ec6 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -101,7 +101,9 @@ export default async function proxy(request: NextRequest) {
 	}
 
 	const response = NextResponse.next();
-	response.headers.set("Content-Security-Policy", buildCsp());
+	if (!pathname.startsWith("/api/")) {
+		response.headers.set("Content-Security-Policy", buildCsp());
+	}
 	return response;
 }