Added content security policy.

2022-07-31 23:29:47 -07:00 · 2022-07-31 23:29:47 -07:00 · adb069babc
parent 2b7da339e2
commit adb069babc
2 changed files with 36 additions and 9 deletions
--- a/middleware.js
+++ b/middleware.js
@ -33,14 +33,6 @@ function customScriptName(req) {
  }
 }

-function forceSSL(req, res) {
-  if (process.env.FORCE_SSL && req.nextUrl.protocol === 'http:') {
-    res.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
-  }
-
-  return res;
-}
-
 export default function middleware(req) {
  const fns = [customCollectEndpoint, customScriptName];

@ -51,5 +43,5 @@ export default function middleware(req) {
    }
  }

-  return forceSSL(req, NextResponse.next());
+  return NextResponse.next();
 }
--- a/next.config.js
+++ b/next.config.js
@ -1,6 +1,37 @@
 require('dotenv').config();
 const pkg = require('./package.json');

+const contentSecurityPolicy = `
+  default-src 'self';
+  img-src *;
+  script-src 'self' 'unsafe-eval';
+  style-src 'self' 'unsafe-inline';
+  connect-src 'self' api.umami.is;
+  frame-ancestors 'self';
+`;
+
+const headers = [
+  {
+    key: 'X-DNS-Prefetch-Control',
+    value: 'on',
+  },
+  {
+    key: 'X-Frame-Options',
+    value: 'SAMEORIGIN',
+  },
+  {
+    key: 'Content-Security-Policy',
+    value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
+  },
+];
+
+if (process.env.FORCE_SSL) {
+  headers.push({
+    key: 'Strict-Transport-Security',
+    value: 'max-age=63072000; includeSubDomains; preload',
+  });
+}
+
 module.exports = {
  env: {
    currentVersion: pkg.version,
@ -24,6 +55,10 @@ module.exports = {
  },
  async headers() {
    return [
+      {
+        source: '/:path*',
+        headers,
+      },
      {
        source: `/(.*\\.js)`,
        headers: [