From adb069babc48e194562b02b1a9f8e5f9d3c59534 Mon Sep 17 00:00:00 2001 From: Mike Cao Date: Sun, 31 Jul 2022 23:29:47 -0700 Subject: [PATCH] Added content security policy. --- middleware.js | 10 +--------- next.config.js | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/middleware.js b/middleware.js index cf957b746a..fb7fe7f55f 100644 --- a/middleware.js +++ b/middleware.js @@ -33,14 +33,6 @@ function customScriptName(req) { } } -function forceSSL(req, res) { - if (process.env.FORCE_SSL && req.nextUrl.protocol === 'http:') { - res.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); - } - - return res; -} - export default function middleware(req) { const fns = [customCollectEndpoint, customScriptName]; @@ -51,5 +43,5 @@ export default function middleware(req) { } } - return forceSSL(req, NextResponse.next()); + return NextResponse.next(); } diff --git a/next.config.js b/next.config.js index 10624451ba..b5e4b80651 100644 --- a/next.config.js +++ b/next.config.js @@ -1,6 +1,37 @@ require('dotenv').config(); const pkg = require('./package.json'); +const contentSecurityPolicy = ` + default-src 'self'; + img-src *; + script-src 'self' 'unsafe-eval'; + style-src 'self' 'unsafe-inline'; + connect-src 'self' api.umami.is; + frame-ancestors 'self'; +`; + +const headers = [ + { + key: 'X-DNS-Prefetch-Control', + value: 'on', + }, + { + key: 'X-Frame-Options', + value: 'SAMEORIGIN', + }, + { + key: 'Content-Security-Policy', + value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(), + }, +]; + +if (process.env.FORCE_SSL) { + headers.push({ + key: 'Strict-Transport-Security', + value: 'max-age=63072000; includeSubDomains; preload', + }); +} + module.exports = { env: { currentVersion: pkg.version, @@ -24,6 +55,10 @@ module.exports = { }, async headers() { return [ + { + source: '/:path*', + headers, + }, { source: `/(.*\\.js)`, headers: [