BugFixes galore

proxy.ts

@@ -51,14 +51,24 @@ function isPublicPath(pathname: string): boolean {
 // ---------------------------------------------------------------------------
 // Security headers applied to every response
 // ---------------------------------------------------------------------------
+const isDev = process.env.NODE_ENV !== "production";
+
 function buildCSP(nonce: string): string {
+  // In dev, Next.js hot-reload and some auth libs require 'unsafe-eval'.
+  // In production we restrict to 'wasm-unsafe-eval' (WebAssembly only).
+  const evalDirective = isDev ? "'unsafe-eval'" : "'wasm-unsafe-eval'";
+
   return [
     "default-src 'self'",
-    `script-src 'self' 'nonce-${nonce}'`,
+    `script-src 'self' 'nonce-${nonce}' ${evalDirective} 'unsafe-inline'`,
     "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
     "font-src 'self' https://fonts.gstatic.com data:",
     "img-src 'self' data: blob: https://crafatar.com https://mc-heads.net https://visage.surgeplay.com https://minotar.net",
-    "connect-src 'self' ws: wss:",
+    // In dev, include http://localhost:* explicitly so absolute-URL fetches
+    // (e.g. from Better Auth client) aren't blocked by a strict 'self' check.
+    isDev
+      ? "connect-src 'self' http://localhost:* ws://localhost:* wss://localhost:* ws: wss:"
+      : "connect-src 'self' ws: wss:",
     "frame-src 'self'",
     "frame-ancestors 'self'",
     "worker-src 'self' blob:",