fix(ops): security headers (CSP / XFO / HSTS / etc) + website_submissions retention

Two audit-pass-#3 prod-readiness gaps. Security headers next.config.ts now emits CSP, X-Frame-Options=DENY, X-Content-Type-Options=nosniff, Referrer-Policy, Permissions-Policy on every response, plus HSTS in production. CSP allows the small set of inline-style/inline-script + unsafe-eval (dev-only) needed by Tailwind, Radix, and Next dev HMR; img-src/connect-src kept reasonably wide for s3.portnimara.com branding + Socket.IO. Verified via curl -I that headers ship and that the dashboard route still serves correctly. website_submissions retention Adds 'website-submissions-retention' case to the maintenance worker with a 180-day window and schedules it at 07:00 daily. Raw inquiry payloads include reCAPTCHA + IP + UA metadata; keeping them indefinitely was a privacy + storage gap that audit-pass-#3 flagged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 15:16:47 +02:00
parent 8690352c56
commit f10334683d
3 changed files with 76 additions and 0 deletions
--- a/src/lib/queue/scheduler.ts
+++ b/src/lib/queue/scheduler.ts
@@ -59,6 +59,8 @@ export async function registerRecurringJobs(): Promise<void> {
    { queue: 'maintenance', name: 'ai-usage-retention', pattern: '0 5 * * *' },
    // Migration 0040 contract: error_events older than 90 days get pruned.
    { queue: 'maintenance', name: 'error-events-retention', pattern: '0 6 * * *' },
+    // Raw website inquiry payloads — 180-day retention.
+    { queue: 'maintenance', name: 'website-submissions-retention', pattern: '0 7 * * *' },
  ];

  for (const job of recurring) {