Fix CSP to allow wallet connections - add RPC endpoints and wallet providers

LuminaEnvision · LuminaEnvision · commit a5e21211fbdf · 2026-01-26T17:27:17.000+07:00
Security measures were blocking wallet connections due to missing CSP
connect-src directives for wallet RPC endpoints and provider domains.

Fixed:
- Added Base RPC endpoints (Base Sepolia and Base Mainnet)
- Added wallet provider domains (MetaMask, WalletConnect, Coinbase, Rainbow, Uniswap)
- Added WebSocket connections for WalletConnect

This fixes:
- Wallet connection prompts not appearing
- Transaction prompts not showing
- Wallet provider connections being blocked by CSP

Bot protection verified - only affects API routes, not wallet connections.
Transaction modal z-index verified - higher than RainbowKit (9999 vs 1100).
Farcaster network switching verified - shows instructions correctly.
diff --git a/next.config.ts b/next.config.ts
@@ -118,7 +118,7 @@ const nextConfig: NextConfig = {
               "style-src 'self' 'unsafe-inline'",
               "img-src 'self' data: https: blob:",
               "font-src 'self' data:",
-              "connect-src 'self' https://api.neynar.com https://api.airstack.xyz https://gateway.pinata.cloud https://ipfs.io https://cloudflare-ipfs.com https://dweb.link wss:",
+              "connect-src 'self' https://api.neynar.com https://api.airstack.xyz https://gateway.pinata.cloud https://ipfs.io https://cloudflare-ipfs.com https://dweb.link https://mainnet.base.org https://sepolia.base.org https://base-mainnet.g.alchemy.com https://base-sepolia.g.alchemy.com https://base-mainnet.infura.io https://base-sepolia.infura.io https://*.walletconnect.com https://*.walletconnect.org https://*.metamask.io https://*.coinbase.com https://*.coinbasewallet.com https://*.rainbow.me https://*.uniswap.org wss: wss://*.walletconnect.com wss://*.walletconnect.org",
               "frame-src 'self'",
               "frame-ancestors https://warpcast.com https://client.warpcast.com https://farcaster.xyz https://client.farcaster.xyz https://app.farcaster.xyz https://www.farcaster.xyz https://www.warpcast.com https://app.warpcast.com https://base.org https://www.base.org https://base.dev https://www.base.dev https://app.base.org https://app.base.dev",
               "object-src 'none'",
