Suppress non-actionable ZAP baseline warnings for Next.js SPA

.zapconfig

@@ -1,3 +1,9 @@
+# ============================
+# ZAP Baseline Scan Suppressions
+# Purpose: Ignore non-actionable or framework/browser-controlled warnings.
+# Only real vulnerabilities will fail CI.
+# ============================
+
 # Rule description: comment.
 # rule_id<TAB>ACTION<TAB>(URL regex pattern)
 
@@ -6,3 +12,29 @@
 
 # PII disclosure: false positive credicard number.
 10062	IGNORE	https://nest.owasp.(dev|org)/sitemap.xml
+
+# Sub Resource Integrity Attribute Missing: Next.js internal chunks do not support SRI
+90003	IGNORE	https://nest.owasp.(dev|org)/_next/static/chunks/[a-f0-9]{16}.js
+
+# Sec-Fetch-Dest Header Missing: browser-controlled, cannot enforce server-side
+90005	IGNORE	https://nest.owasp.(dev|org)/.*
+
+# Base64 Disclosure: false positives due to Next.js hydration / CSS inlined assets
+10094	IGNORE	https://nest.owasp.(dev|org)/_next/static/chunks/[a-f0-9]{16}.js
+
+# Non-Storable Content: informational only, not a vulnerability
+10049	IGNORE	https://nest.owasp.(dev|org)/.*
+
+# Re-examine Cache-Control Directives: informational for SPA / framework-managed caching
+10015	IGNORE	https://nest.owasp.(dev|org)/.*
+
+# Content-Type Header Missing: harmless on 308 redirects
+10019	IGNORE	https://nest.owasp.(dev|org)/_next/static/.*
+
+# CSP: Failure to Define Directive with No Fallback
+# Advisory-only; CSP is defined at framework/app level
+10055	IGNORE	https://nest.owasp.(dev|org)/.*
+
+# Session Management Response Identified
+# Informational detection; no insecure session behavior observed
+10112	IGNORE	https://nest.owasp.(dev|org)/csrf/

backend/settings/base.py

@@ -31,6 +31,12 @@ class Base(Configuration):
     SESSION_COOKIE_SAMESITE = "Lax"
     SESSION_COOKIE_SECURE = True
 
+    # --- CSRF cookie settings (SPA-safe, OWASP compliant) ---
+    CSRF_COOKIE_SECURE = True
+    CSRF_COOKIE_SAMESITE = "Strict"
+    # CSRF_COOKIE_HTTPONLY is intentionally NOT enabled
+    # Django CSRF cookies must be readable by JS for SPA frameworks
+
     SITE_NAME = "localhost"
     SITE_URL = "http://localhost:8000"
 

backend/settings/local.py

@@ -23,3 +23,5 @@ class Local(Base):
     PUBLIC_IP_ADDRESS = values.Value()
     SLACK_COMMANDS_ENABLED = True
     SLACK_EVENTS_ENABLED = True
+
+    CSRF_COOKIE_SAMESITE = "Lax"

cspell/custom-dict.txt

@@ -53,6 +53,7 @@ certbot
 collectstatic
 coraza
 corsheaders
+credentialless
 csrfguard
 csrfprotector
 csrftoken

frontend/next.config.ts

@@ -5,6 +5,27 @@ const isLocal = process.env.NEXT_PUBLIC_ENVIRONMENT === 'local'
 
 const nextConfig: NextConfig = {
   devIndicators: false,
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          {
+            key: 'Cross-Origin-Opener-Policy',
+            value: 'same-origin',
+          },
+          {
+            key: 'Cross-Origin-Embedder-Policy',
+            value: 'credentialless',
+          },
+          {
+            key: 'Cross-Origin-Resource-Policy',
+            value: 'same-origin',
+          },
+        ],
+      },
+    ]
+  },
   images: {
     // This is a list of remote patterns that Next.js will use to determine
     // if an image is allowed to be loaded from a remote source.