From 848a098a42165a10aa63c1382d6d18d57df4282d Mon Sep 17 00:00:00 2001 From: Max Burri Date: Wed, 1 Jul 2026 09:29:50 +0200 Subject: [PATCH 1/3] fix: make the middleware matcher regex match index pages --- app/middleware.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/app/middleware.ts b/app/middleware.ts index 0dfbc5f5f..f081184f9 100644 --- a/app/middleware.ts +++ b/app/middleware.ts @@ -64,6 +64,12 @@ export function middleware(request: NextRequest) { export const config = { matcher: [ + // The negative-lookahead pattern below gets compiled by Next.js (when i18n + // is configured) into a regex that requires two path segments (locale + + // rest), which silently excludes bare locale-root paths like "/", "/de", + // "/en". Add those explicitly so they still go through the middleware. + "/", + "/(de|fr|it|en)", { source: "/((?!_next/static|_next/image|favicon\\.ico).*)", missing: [ From f950003446c319b780470ec373ca8fc4d8ec7517 Mon Sep 17 00:00:00 2001 From: Max Burri Date: Wed, 1 Jul 2026 09:48:34 +0200 Subject: [PATCH 2/3] doc: add changelog entry --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad618f37c..d0519e0d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,9 @@ You can also check the ## Unreleased +- Fixes + - Correctly set CSP headers for index pages + ## 6.5.0 – 2026-06-01 - Features From 3632973d13cc397585610e386078ce6df28ccd56 Mon Sep 17 00:00:00 2001 From: Max Burri Date: Thu, 9 Jul 2026 06:43:05 +0000 Subject: [PATCH 3/3] test: add e2e test for CSP headers on index and imprint pages Verify that the middleware correctly sets Content-Security-Policy headers on locale-root pages (/en) and content pages (/en/imprint), covering the fix in 848a098a4. Generated with [Devin](https://devin.ai) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- e2e/csp-headers.spec.ts | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 e2e/csp-headers.spec.ts diff --git a/e2e/csp-headers.spec.ts b/e2e/csp-headers.spec.ts new file mode 100644 index 000000000..9f932f5b5 --- /dev/null +++ b/e2e/csp-headers.spec.ts @@ -0,0 +1,25 @@ +import { setup } from "./common"; + +const { test, describe, expect } = setup(); + +describe("CSP headers", () => { + test("should be set on the index page", async ({ page }) => { + const response = await page.goto("/en"); + expect(response).not.toBeNull(); + const csp = + response!.headers()["content-security-policy"] ?? + response!.headers()["content-security-policy-report-only"]; + expect(csp).toBeTruthy(); + expect(csp).toContain("frame-ancestors"); + }); + + test("should be set on the imprint page", async ({ page }) => { + const response = await page.goto("/en/imprint"); + expect(response).not.toBeNull(); + const csp = + response!.headers()["content-security-policy"] ?? + response!.headers()["content-security-policy-report-only"]; + expect(csp).toBeTruthy(); + expect(csp).toContain("frame-ancestors"); + }); +});