From 80390e7f1372a9de39b39dab91132baef28ea18c Mon Sep 17 00:00:00 2001
From: Mannu <manohar6839@gmail.com>
Date: Sat, 6 Jun 2026 12:59:38 +0530
Subject: [PATCH] fix(billing): allow Razorpay Checkout domains in CSP

Checkout.razorpay.com script + payment iframe were blocked by CSP
(CHECKOUT_LOAD_FAILED). Added Razorpay to:
- script-src: https://checkout.razorpay.com
- frame-src:  https://*.razorpay.com https://api.razorpay.com (payment iframe)
- connect-src: https://*.razorpay.com + lumberjack.razorpay.com (telemetry)
- img-src:    https://*.razorpay.com (payment-method logos)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 next.config.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/next.config.ts b/next.config.ts
index 48bff22..c8e9284 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -22,10 +22,11 @@ const nextConfig: NextConfig = {
           { key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" },
           { key: "Content-Security-Policy", value:
             "default-src 'self'; " +
-            "img-src 'self' data: https://*.r2.cloudflarestorage.com https://*.r2.dev; " +
-            "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
+            "img-src 'self' data: https://*.r2.cloudflarestorage.com https://*.r2.dev https://*.razorpay.com; " +
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://checkout.razorpay.com; " +
             "style-src 'self' 'unsafe-inline'; " +
-            "connect-src 'self' https://llm.manohargupta.com https://analytics.manohargupta.com; " +
+            "connect-src 'self' https://llm.manohargupta.com https://analytics.manohargupta.com https://*.razorpay.com https://lumberjack.razorpay.com; " +
+            "frame-src 'self' https://*.razorpay.com https://api.razorpay.com; " +
             "font-src 'self' data:;"
           },
         ],