Cloudflare Pages migration with enforced CSP headers

GEMINI.md

@@ -130,9 +130,18 @@ bun run preview       # Preview production build
 
 ### Deployment Process
 
+This project is now deployed to Cloudflare Pages for enhanced security.
+
 1. **Private repo** (`seedpgp-web`): Source code, development
-2. **Public repo** (`seedpgp-web-app`): Built files for GitHub Pages
+2. **Cloudflare Pages**: Deploys from `seedpgp-web` repo directly.
-3. **Deploy script** (`scripts/deploy.sh`): Builds + copies to dist/ + pushes to public repo
+3. **GitHub Pages (Legacy)**: `seedpgp-web-app` public repo is retained for historical purposes, but no longer actively deployed to.
+
+### Cloudflare Pages Deployment
+
+1. Connect GitHub repo (`seedpgp-web`) to Cloudflare Pages.
+2. Build settings: `bun run build`, output directory: `dist/`.
+3. `public/_headers` file enforces Content Security Policy (CSP) and other security headers automatically.
+4. Benefits: Real CSP enforcement, not just a UI toggle.
 
 ### Git Workflow
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "seedpgp-web",
   "private": true,
-  "version": "1.4.0",
+  "version": "1.4.2",
   "type": "module",
   "scripts": {
     "dev": "vite",

public/_headers

@@ -0,0 +1,6 @@
+/*
+  Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; form-action 'none'; base-uri 'self';
+  X-Frame-Options: DENY
+  X-Content-Type-Options: nosniff
+  X-XSS-Protection: 1; mode=block
+  Referrer-Policy: strict-origin-when-cross-origin

vite.config.ts

@@ -12,7 +12,8 @@ const gitHash = execSync('git rev-parse --short HEAD').toString().trim()
 
 export default defineConfig({
   plugins: [react()],
-  base: '/seedpgp-web-app/',
+  base: process.env.CF_PAGES ? '/' : '/seedpgp-web-app/',
+  publicDir: 'public',  // ← Explicitly set (should be default)
   build: {
     outDir: 'dist',
     emptyOutDir: false,