Add security headers via vercel.json

[ali-jifi]

Added a vercel.json that sets security response headers on all routes:

• Content-Security-Policy - restricts the page to its own origin, plus any external resources the site uses: Google Fonts (fonts.googleapis.com / fonts.gstatic.com), the Google Calendar embed on the Events page (frame-src calendar.google.com), and the Gallery title fetch (connect-src r.jina.ai). Scripts are limited to 'self' with no unsafe-inline/unsafe-eval; style-src 'unsafe-inline' is required because React, GSAP, and Framer Motion set inline style attributes
• frame-ancestors 'none' + X-Frame-Options: DENY - clickjacking protection
• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin
• Strict-Transport-Security- 2-year HSTS
• Permissions-Policy - disables camera, microphone, geolocation, and payment APIs

The site currently has no security headers, so the CSP is defense-in-depth against XSS and the rest are standard best practices for a static site

Reviewer notes

• Headers can't be tested locally, on the preview deployment, check the Events page (calendar iframe) and Gallery page (title fetch), any CSP violation will show in the browser console
• Any future external resource (analytics, image CDN, new embed) will need its domain added to the matching CSP directive

[vercel]

@ali-jifi is attempting to deploy a commit to the ACM UTA's projects Team on Vercel.

A member of the Team first needs to authorize it.

[ali-jifi]

not authorizing me to deploy commits to acm is crazy work

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
acmuta-site	Error		Jun 13, 2026 2:58am
acmuta-site-2026	Ready	Preview, Comment	Jun 13, 2026 2:58am