From a2ad697a2990b55f292581b03c9f52427fd58e06 Mon Sep 17 00:00:00 2001
From: "DESKTOP-RTLN3BA\\$punk" <vermarohanfinal@gmail.com>
Date: Tue, 5 May 2026 19:13:38 -0700
Subject: [PATCH] feat(next.config): enable remote SVG support with enhanced
 content security policy

---
 surfsense_web/next.config.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/surfsense_web/next.config.ts b/surfsense_web/next.config.ts
index 6cfcb5187..81f349f26 100644
--- a/surfsense_web/next.config.ts
+++ b/surfsense_web/next.config.ts
@@ -29,6 +29,13 @@ const nextConfig: NextConfig = {
 				hostname: "**",
 			},
 		],
+		// Allow remote SVGs (e.g. README badges from img.shields.io, trendshift.io,
+		// etc.) which are otherwise blocked by next/image. The CSP below sandboxes
+		// the SVG and forbids any embedded scripts, which is the mitigation
+		// recommended by Vercel's NEXTJS_SAFE_SVG_IMAGES conformance rule.
+		dangerouslyAllowSVG: true,
+		contentDispositionType: "attachment",
+		contentSecurityPolicy: "default-src 'self'; script-src 'none'; sandbox;",
 	},
 	experimental: {
 		optimizePackageImports: [